> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 (GitLab) — Unpinned remote include

> A remote include resolved by a mutable ref can be rewritten upstream to inject malicious pipeline configuration — the GitLab analog of an unpinned action. Pin `include:` to a commit SHA (`ref: <sha>`).

| Field    | Value                                                                                                                          |
| -------- | ------------------------------------------------------------------------------------------------------------------------------ |
| Category | `CICD-SEC-3`                                                                                                                   |
| Platform | GitLab CI                                                                                                                      |
| Severity | **MEDIUM**                                                                                                                     |
| Auto-fix | Flags `include:` entries that reference a remote project or file by a mutable ref (branch/tag) instead of a pinned commit SHA. |

## What the check does

A remote include resolved by a mutable ref can be rewritten upstream to inject malicious pipeline configuration — the GitLab analog of an unpinned action. Pin `include:` to a commit SHA (`ref: <sha>`).

## Why it matters

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
