> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-8 (GitLab) — Trigger/pipeline job without source filtering

> An unfiltered trigger can be invoked from an untrusted context (a fork MR, an API call) and propagate into privileged downstream pipelines. Gate trigger jobs on an explicit allowlist of pipeline sources.

| Field    | Value                                                                                                                                                        |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Category | `CICD-SEC-8`                                                                                                                                                 |
| Platform | GitLab CI                                                                                                                                                    |
| Severity | **MEDIUM**                                                                                                                                                   |
| Auto-fix | Flags trigger or downstream-pipeline jobs that run without constraining `CI_PIPELINE_SOURCE` (or equivalent `rules:`), so they fire on any triggering event. |

## What the check does

An unfiltered trigger can be invoked from an untrusted context (a fork MR, an API call) and propagate into privileged downstream pipelines. Gate trigger jobs on an explicit allowlist of pipeline sources.

## Why it matters

Findings for this rule fire only on `.gitlab-ci.yml` and `.gitlab-ci/*.yml`.
It is the GitLab analog of the correspondingly-numbered GitHub Actions rule; see
the [rules overview](/rules/overview#gitlab-ci-workflow-checks) for the full
GitLab table.
