Streamline Compliance Audits with Open-Source Scanner for GitLab CI/CD Pipelines
GitLab CI/CD Pipeline Scanner Detects Compliance Gaps
As companies increasingly rely on DevOps practices, securing their continuous integration and continuous delivery (CI/CD) pipelines has become a pressing concern.
- The accumulation of configuration drift from security baselines over time can arise when container images become pinned to mutable tags, branches lose protection settings, and essential templates disappear.
- This problem can be detected using an open-source tool called Plumber, which automates the detection of compliance gaps by scanning pipeline configuration and repository settings directly.
Plumber reads a project’s .gitlab-ci.yml file and queries the GitLab API to generate a comprehensive compliance report.
- The tool enables eight controls that teams can configure through a .plumber.yaml file within their repository:
- Flagging mutable references such as latest, dev, main, and master
- Confirming images originate from trusted sources defined in the configuration
- Verifying branches enforce minimum access levels and block force pushes
- Checking if pipeline jobs originate from includes or components instead of being defined directly in the CI file
- Ensuring included templates and components are up-to-date
- Verifying version references for includes do not use mutable identifiers
- Confirming required components or templates are present
To connect to a GitLab instance, Plumber uses a personal access token with read_api and read_repository scopes, which must belong to a user with Maintainer-level access or higher on the project being scanned.
Two deployment paths are available for Plumber:
- Running as a standalone command-line binary for local testing or one-off scans
- Integrating as a GitLab CI component, which runs automatically on every pipeline execution against the default branch, tags, and open merge requests
To add Plumber as a CI component, teams need to modify their .gitlab-ci.yml file with two additional lines and configure the GITLAB_TOKEN variable in their project’s CI/CD settings.
A configurable threshold (defaulting to 100%) determines whether the job passes or fails, allowing teams to adjust the level of scrutiny over time.
The output of Plumber appears as a colorized terminal report and can also be saved as a JSON file suitable for audit records or downstream tooling.
Plumber is written in Go and released under the Mozilla Public License 2.0, making it freely available on GitHub.