> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# BEST-PRAC-3 (GitLab) — Job targets a self-hosted runner

> Self-hosted runners broaden the trust boundary: a compromised job can pivot into your infrastructure. It's an informational hardening signal — ensure such runners are isolated, ephemeral, and not exposed to untrusted pipelines.

| Field    | Value                                                                                              |
| -------- | -------------------------------------------------------------------------------------------------- |
| Category | `BEST-PRAC-3`                                                                                      |
| Platform | GitLab CI                                                                                          |
| Severity | **LOW**                                                                                            |
| Auto-fix | Flags jobs whose `tags:` route them to a non-SaaS-shared (self-hosted or project-specific) runner. |

## What the check does

Self-hosted runners broaden the trust boundary: a compromised job can pivot into your infrastructure. It's an informational hardening signal — ensure such runners are isolated, ephemeral, and not exposed to untrusted pipelines.

## Why it matters

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
