| Field | Value |
|---|---|
| Category | CICD-SEC-4 |
| Platform | GitLab CI |
| Severity | HIGH |
| Auto-fix | Flags script: lines that interpolate attacker-influenceable pipeline variables (CI_COMMIT_*, CI_MERGE_REQUEST_*) directly into a shell command. |
What the check does
Untrusted values such as a commit message or MR title flow straight into the shell, allowing command injection. Assign the value to a shell variable via thevariables: block and reference it quoted, rather than interpolating it inline.
Why it matters
Findings for this rule fire only on.gitlab-ci.yml and .gitlab-ci/*.yml.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the rules overview for the full
GitLab table.