Skip to main content
FieldValue
CategoryCICD-SEC-1
PlatformGitLab CI
SeverityHIGH
Auto-fixno

What the check does

Flags jobs that run on merge-request events (rules: if: $CI_PIPELINE_SOURCE == 'merge_request_event') and execute code from the source branch while protected CI/CD variables are available — GitLab’s pwn-request equivalent.

Why it matters

A fork or untrusted branch can propose a merge request whose pipeline runs attacker-controlled scripts with access to protected variables and the job token, enabling secret theft or supply-chain tampering. Restrict protected variables to protected branches and avoid running untrusted MR code with elevated credentials. Findings for this rule fire only on .gitlab-ci.yml and .gitlab-ci/*.yml. It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see the rules overview for the full GitLab table.