Plumber - Open-source Scanner for GitLab CI/CD Compliance
Basically, Plumber helps check if your GitLab setup follows security rules.
Plumber is an open-source tool that checks GitLab CI/CD pipelines for compliance gaps. It helps teams ensure their configurations meet security standards. By automating these checks, organizations can maintain security integrity and reduce risks.
What It Does
Plumber is an open-source tool designed to enhance security compliance in GitLab CI/CD pipelines. Over time, these pipelines can drift from established security baselines due to various configuration decisions. This can lead to vulnerabilities, such as using mutable tags for container images or losing branch protection settings. Plumber addresses these issues by scanning the pipeline configurations and repository settings directly, ensuring that teams maintain compliance with security standards.
The tool reads a project’s .gitlab-ci.yml file and queries the GitLab API to generate a compliance report. It features eight configurable controls that teams can enable or disable through a .plumber.yaml file in their repository. These controls cover critical aspects like container image tags, registries, and branch protection, helping teams spot potential security gaps before they become problems.
Key Features
Plumber operates in two primary modes: as a standalone command-line binary or as a GitLab CI component integrated directly into the pipeline. The command-line interface (CLI) is suitable for local testing or one-off scans, while the CI component runs automatically with each pipeline execution. This integration allows for continuous monitoring and compliance checks against the default branch, tags, and open merge requests.
To set up Plumber as a CI component, users need to add just two lines to their .gitlab-ci.yml file and configure a GITLAB_TOKEN variable in the project’s CI/CD settings. The tool also allows teams to set a configurable threshold for compliance, which can be adjusted as they refine their security practices over time.
Installation and Availability
Plumber is developed in Go and is released under the Mozilla Public License 2.0. It is available for various operating systems, including Linux, macOS, and Windows. Installation options include Homebrew, Mise, direct binary downloads, and Docker. Organizations can also build Plumber from source if they prefer.
For teams using self-hosted GitLab instances, Plumber can be imported into their infrastructure and utilized as a CI/CD catalog resource. This flexibility makes it a valuable addition to any security toolkit, especially for teams looking to automate compliance checks and maintain security integrity.
Why It Matters
In today’s fast-paced development environments, maintaining security compliance can be challenging. Tools like Plumber help bridge the gap by providing automated checks and reports, ensuring that security standards are met consistently. By integrating such tools into their workflows, organizations can reduce the risk of security incidents stemming from configuration drift and maintain a robust security posture in their CI/CD processes.