> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-4 (GitLab) — Shell injection from pipeline variables

> Untrusted values such as a commit message or MR title flow straight into the shell, allowing command injection. Assign the value to a shell variable via the `variables:` block and reference it quoted, rather than interpolating it inline.

| Field    | Value                                                                                                                                                 |
| -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-4`                                                                                                                                          |
| Platform | GitLab CI                                                                                                                                             |
| Severity | **HIGH**                                                                                                                                              |
| Auto-fix | Flags `script:` lines that interpolate attacker-influenceable pipeline variables (`CI_COMMIT_*`, `CI_MERGE_REQUEST_*`) directly into a shell command. |

## What the check does

Untrusted values such as a commit message or MR title flow straight into the shell, allowing command injection. Assign the value to a shell variable via the `variables:` block and reference it quoted, rather than interpolating it inline.

## Why it matters

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
