Skip to main content
On this page
ISSUE-410 High Quick Pipeline Composition

Security job weakened

Control: Security jobs must not be weakened · Config key: securityJobsMustNotBeWeakened

📋 What is this?

A security scanning job (SAST, Secret Detection, Container Scanning, Dependency Scanning, DAST, License Scanning) has been weakened by overriding its configuration in .gitlab-ci.yml. The pipeline still includes the security template but the actual scanning is neutralized.

⚠️ Impact

Weakened security jobs give a false sense of compliance. The pipeline appears to include security scanning, but the scans either never run, require manual intervention, or silently ignore failures. Maps to OWASP CICD-SEC-4 (Poisoned Pipeline Execution).

🔧 How to fix

Remove the override that weakens the security job. Security jobs should run automatically on every pipeline and block the pipeline on failure.

✗ Before Security jobs are present but neutralized through allow_failure, rules override, and when: manual.
# .gitlab-ci.yml — ❌ Security jobs are weakened
include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml


# Weakened: failures are silently ignored
semgrep-sast:
  allow_failure: true


# Weakened: job will never run
secret_detection:
  rules:
    - when: never


# Weakened: job only runs if manually triggered
container_scanning:
  when: manual
✓ After Security templates are included without overrides. Configuration is done via variables.
# .gitlab-ci.yml — ✅ Security jobs run as intended
include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml


# No local overrides — security jobs run as designed by the templates
# Customization is done through CI/CD variables:
variables:
  SAST_EXCLUDED_PATHS: "test/**"
  SECRET_DETECTION_HISTORIC_SCAN: "false"


# .plumber.yaml
# securityJobsMustNotBeWeakened:
#   enabled: true
#   securityJobPatterns:
#     - "*-sast"
#     - "secret_detection"
#     - "container_scanning"
#     - "*_dependency_scanning"
#     - "dast"
#     - "dast_*"
#     - "license_scanning"
#   allowFailureMustBeFalse:
#     enabled: false   # opt-in (GitLab templates ship with allow_failure: true)
#   rulesMustNotBeRedefined:
#     enabled: true
#   whenMustNotBeManual:
#     enabled: true

💡 Tips

  • Security jobs are identified by matching job names against securityJobPatterns (wildcards supported). Customize patterns to match your pipeline's security jobs.
  • The allowFailureMustBeFalse sub-control is off by default because GitLab templates ship with allow_failure: true. Enable it if your org wants security checks to block the pipeline.
  • rulesMustNotBeRedefined and whenMustNotBeManual are on by default since these patterns effectively disable scanning.
  • Each sub-control can be toggled independently for gradual adoption.

⚙️ Configuration

This control is configured in .plumber.yaml under the key:

controls:
  securityJobsMustNotBeWeakened:
    enabled: true

See the CLI documentation for the full configuration reference.

🔗 Related issues

ISSUE-408 Missing required component
High Medium
ISSUE-409 Forbidden override of required component
High Medium
ISSUE-406 Forbidden override of required template
High Medium