| Field | Value |
|---|---|
| Category | BEST-PRAC-3 |
| Platform | GitLab CI |
| Severity | LOW |
| Auto-fix | Flags jobs whose tags: route them to a non-SaaS-shared (self-hosted or project-specific) runner. |
What the check does
Self-hosted runners broaden the trust boundary: a compromised job can pivot into your infrastructure. It’s an informational hardening signal — ensure such runners are isolated, ephemeral, and not exposed to untrusted pipelines.Why it matters
Findings for this rule fire only on.gitlab-ci.yml and .gitlab-ci/*.yml.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the rules overview for the full
GitLab table.