Skip to main content
FieldValue
CategoryCICD-SEC-4
PlatformGitLab CI
SeverityHIGH
Auto-fixFlags script: lines that interpolate attacker-influenceable pipeline variables (CI_COMMIT_*, CI_MERGE_REQUEST_*) directly into a shell command.

What the check does

Untrusted values such as a commit message or MR title flow straight into the shell, allowing command injection. Assign the value to a shell variable via the variables: block and reference it quoted, rather than interpolating it inline.

Why it matters

Findings for this rule fire only on .gitlab-ci.yml and .gitlab-ci/*.yml. It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see the rules overview for the full GitLab table.