| Field | Value |
|---|---|
| Category | CICD-SEC-8 |
| Platform | GitLab CI |
| Severity | MEDIUM |
| Auto-fix | Flags trigger or downstream-pipeline jobs that run without constraining CI_PIPELINE_SOURCE (or equivalent rules:), so they fire on any triggering event. |
What the check does
An unfiltered trigger can be invoked from an untrusted context (a fork MR, an API call) and propagate into privileged downstream pipelines. Gate trigger jobs on an explicit allowlist of pipeline sources.Why it matters
Findings for this rule fire only on.gitlab-ci.yml and .gitlab-ci/*.yml.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the rules overview for the full
GitLab table.