Skip to main content
FieldValue
CategoryCICD-SEC-8
PlatformGitLab CI
SeverityMEDIUM
Auto-fixFlags trigger or downstream-pipeline jobs that run without constraining CI_PIPELINE_SOURCE (or equivalent rules:), so they fire on any triggering event.

What the check does

An unfiltered trigger can be invoked from an untrusted context (a fork MR, an API call) and propagate into privileged downstream pipelines. Gate trigger jobs on an explicit allowlist of pipeline sources.

Why it matters

Findings for this rule fire only on .gitlab-ci.yml and .gitlab-ci/*.yml. It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see the rules overview for the full GitLab table.