ISSUE-601 Critical Quick Security Source
Missing security policy source on project
Control: Project must have a security policy source · Config key: projectMustHaveSecurityPolicySource
📋 What is this?
The project lacks the security policy source defined in your Policy controls, violating compliance requirements.
⚠️ Impact
Without a security policy source, your project may become non-compliant and vulnerable to risks. For example, if your project lacks a defined security policy source, critical checks might not be enforced.
🔧 How to fix
Define the security policy source as defined in your Policy controls on the project to ensure compliance and security.
✗ Before No security policy project is linked to this GitLab project.
# GitLab project settings — ❌ No security policy source# Secure > Security configuration > Security policy project:# (none)## The project has no linked security policy project, meaning# no security policies are enforced on this project.
# .plumber.yaml# projectMustHaveSecurityPolicySource:# enabled: true# sourceProject: my-org/security-policies✓ After The project is linked to the organization's security policy source.
# GitLab project settings — ✅ Security policy source configured# Secure > Security configuration > Security policy project:## The project is now linked to the organization's security# policy repository, ensuring all security policies are enforced.
# .plumber.yamlcontrols: projectMustHaveSecurityPolicySource: enabled: true sourceProject: my-org/security-policies💡 Tips
- Create a dedicated security policy project in your organization to centralize all security policies.
- Security policy sources can be managed at the group level to apply to all projects at once.
- Check GitLab documentation for supported security policy types (scan execution, scan result, etc.).
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
projectMustHaveSecurityPolicySource:
enabled: trueSee the CLI documentation for the full configuration reference.