> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 (GitLab) — Pipeline runs untrusted merge-request code with protected secrets

> Flags jobs that run on merge-request events (`rules: if: $CI_PIPELINE_SOURCE == 'merge_request_event'`) and execute code from the source branch while protected CI/CD variables are available — GitLab's pwn-request equivalent.

| Field    | Value        |
| -------- | ------------ |
| Category | `CICD-SEC-1` |
| Platform | GitLab CI    |
| Severity | **HIGH**     |
| Auto-fix | no           |

## What the check does

Flags jobs that run on merge-request events (`rules: if: $CI_PIPELINE_SOURCE == 'merge_request_event'`) and execute code from the source branch while protected CI/CD variables are available — GitLab's pwn-request equivalent.

## Why it matters

A fork or untrusted branch can propose a merge request whose pipeline runs attacker-controlled scripts with access to protected variables and the job token, enabling secret theft or supply-chain tampering. Restrict protected variables to protected branches and avoid running untrusted MR code with elevated credentials.

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
