| Field | Value |
|---|---|
| Category | CICD-SEC-1 |
| Platform | GitLab CI |
| Severity | HIGH |
| Auto-fix | no |
What the check does
Flags jobs that run on merge-request events (rules: if: $CI_PIPELINE_SOURCE == 'merge_request_event') and execute code from the source branch while protected CI/CD variables are available — GitLab’s pwn-request equivalent.
Why it matters
A fork or untrusted branch can propose a merge request whose pipeline runs attacker-controlled scripts with access to protected variables and the job token, enabling secret theft or supply-chain tampering. Restrict protected variables to protected branches and avoid running untrusted MR code with elevated credentials. Findings for this rule fire only on.gitlab-ci.yml and .gitlab-ci/*.yml.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the rules overview for the full
GitLab table.