Plumber vs The Pipeline Apocalypse: Why Your CI/CD is Leaking Secrets (and How Luigi Plans to Fix It) + Video

Listen to this Post

Featured Image

Introduction:

The recent surge in software supply chain attacks, highlighted by compromises involving Trivy, the KICS GitHub Action, and LiteLLM, has exposed a brutal truth: modern CI/CD pipelines have become the perfect entry point for sophisticated adversaries. With over 29 million secrets exposed on GitHub in 2025 alone, organizations are finally realizing that mutable image tags, over-permissive CI permissions, and unchecked dependencies are not just bad practices—they are critical vulnerabilities waiting to be exploited.

Learning Objectives:

  • Understand how to audit GitLab CI/CD pipelines for security misconfigurations and mutable dependencies using the Plumber scanner.
  • Learn to implement a Pipeline Bill of Materials (PBOM) to gain visibility into your software factory components.
  • Apply practical hardening techniques including registry restrictions, branch protection rules, and secret detection to mitigate supply chain risks.

You Should Know:

  1. Auditing Your GitLab Pipeline with Plumber: Installation and Basic Scan

Plumber is an open-source compliance scanner designed to analyze GitLab CI/CD configurations and repository settings. Its primary function is to detect “concrete problems” such as mutable image tags, unapproved registries, unprotected branches, outdated templates, and missing or forbidden components. To begin using Plumber, you must first install it. While the project is evolving, the typical installation involves cloning the repository or using a binary release.

Step‑by‑step guide:

First, ensure you have Git and Go (if building from source) installed on your Linux or macOS system. For Windows users, WSL2 is recommended for compatibility with the native Go build.

 Clone the Plumber repository
git clone https://github.com/your-org/plumber.git  Replace with actual repo URL if different
cd plumber

Build the binary (assuming a standard Go project structure)
go build -o plumber ./cmd/plumber

Alternatively, if a pre-built binary is provided, download and make it executable
 wget https://github.com/your-org/plumber/releases/latest/download/plumber-linux-amd64
 chmod +x plumber-linux-amd64
 sudo mv plumber-linux-amd64 /usr/local/bin/plumber

Run a basic scan against a target GitLab repository
export GITLAB_TOKEN="your_personal_access_token_with_api_scope"
plumber scan --project "your-group/your-project" --output report.json

This command initiates an analysis of the specified project’s `.gitlab-ci.yml` and repository settings. The output, report.json, contains a detailed inventory of detected issues.

2. Decoding the Pipeline Bill of Materials (PBOM)

The concept of a PBOM is central to modern supply chain security. Just as a Software Bill of Materials (SBOM) lists the components in an application, a PBOM inventories the components of your CI/CD pipeline itself: which runners are used, which base images are pulled, what scripts are executed, and what external templates are included. Plumber generates this PBOM to provide a transparent view of your pipeline’s attack surface.

Step‑by‑step guide:

After running the scan, you can parse the generated PBOM to identify critical dependencies and configuration risks.

 Generate a detailed PBOM in a human-readable format
plumber pbom --project "your-group/your-project" --format yaml > pipeline_bom.yaml

Examine the PBOM for mutable image tags (e.g., 'latest', 'v1' without a specific hash)
cat pipeline_bom.yaml | grep -E "image:.latest|image:.:[0-9]+.[0-9]+$"

To filter for unapproved registries (e.g., Docker Hub without a corporate proxy)
cat pipeline_bom.yaml | grep "registry:" | grep -v "your-corporate-registry.com"

The output will highlight images using mutable tags. A hardened pipeline should always use immutable digests (e.g., image: alpine@sha256:abc123...) or specific, pinned version tags.

3. Hardening CI/CD: Registry Restrictions and Branch Protection

One of the most common risks identified by Plumber is the use of unapproved registries and unprotected branches. Attackers often inject malicious code by compromising a public image on Docker Hub or pushing directly to a branch without proper review. GitLab allows you to enforce restrictions through settings and configuration as code.

Step‑by‑step guide:

To mitigate these risks, implement the following configurations using the GitLab API or UI, complemented by GitLab CI/CD policies.

For Windows (using PowerShell with GitLab API):

 Set a branch protection rule for the 'main' branch using GitLab API
$token = "your_personal_access_token"
$projectId = "123"
$headers = @{ "PRIVATE-TOKEN" = $token }
$body = @{
name = "main"
push_access_level = 0  0 = No one, 40 = Maintainers, etc.
merge_access_level = 40
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://gitlab.com/api/v4/projects/$projectId/protected_branches" -Method Post -Headers $headers -Body $body

For Linux (using curl):

 Restrict CI/CD jobs to only use your private registry via a CI policy
 Add this to your .gitlab-ci.yml
variables:
CI_REGISTRY_IMAGE: "your-corporate-registry.com/project/image"

To enforce registry usage at the instance level, configure the GitLab Runner's config.toml
 Ensure the runner only pulls images from allowed registries by setting the allowed_pull_policies
 Edit /etc/gitlab-runner/config.toml
 [[bash]]
 [runners.kubernetes]
 allowed_pull_policies = ["always", "if-not-present"]
 allowed_images = ["your-corporate-registry.com/"]
  1. Integrating Vulnerability Scanners (Grype & Trivy) into Plumber Workflows

A hardened pipeline must include static analysis and vulnerability scanning. The post references integration with Grype and Trivy—industry-standard tools for scanning container images and filesystems for known vulnerabilities (CVEs). Combining these with Plumber ensures that not only are your configurations compliant, but the artifacts you produce are free of critical flaws.

Step‑by‑step guide:

Create a comprehensive CI job that runs after Plumber’s compliance check. This job will scan the final built image.

 Example .gitlab-ci.yml snippet integrating Plumber, Grype, and Trivy
stages:
- compliance
- build
- scan

plumber-compliance:
stage: compliance
image: golang:latest
script:
- go install github.com/your-org/plumber@latest
- plumber scan --project "$CI_PROJECT_PATH" --output compliance-report.json
-  Fail the pipeline if critical issues are found
- plumber validate --input compliance-report.json --severity high
only:
- main

container-build:
stage: build
image: docker:latest
services:
- docker:dind
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA

trivy-scan:
stage: scan
image: aquasec/trivy:latest
script:
- trivy image --severity CRITICAL,HIGH $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA

grype-scan:
stage: scan
image: anchore/grype:latest
script:
- grype $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA

5. Secrets Detection and Remediation

The post highlights that 29 million secrets were exposed on GitHub in 2025. This statistic underscores the need for pre-commit hooks and CI/CD secret scanning. Tools like `gitleaks` or `trufflehog` can be integrated to prevent secrets from ever entering the repository.

Step‑by‑step guide:

Implement a pre-commit hook to scan for secrets locally and a CI job to enforce it.

 Install gitleaks on Linux
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
tar -xzf gitleaks_8.18.0_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/

Run a scan on the current repository
gitleaks detect --source . --verbose

For Windows (using Chocolatey)
choco install gitleaks
gitleaks detect --source . --verbose

In your GitLab CI, add a job to enforce this:

secrets-scan:
stage: compliance
image: zricethezav/gitleaks:latest
script:
- gitleaks detect --source . --redact --verbose
allow_failure: false

What Undercode Say:

  • Visibility is the Foundation of Security: Generating a PBOM with Plumber transforms an opaque CI/CD process into an auditable asset. Without knowing what runs in your pipeline, you cannot protect it.
  • Policy as Code is Mandatory: Relying on manual UI configurations for branch protection and registry access leads to drift. Embedding these rules in `.gitlab-ci.yml` and version-controlling them ensures consistency and facilitates peer review.
  • Shift Left on Secrets and Vulnerabilities: The statistics on exposed secrets are a clear warning. Integrating tools like Gitleaks, Trivy, and Grype directly into the CI pipeline—and failing builds on critical findings—is no longer optional but a business necessity.

Prediction:

As supply chain attacks become more sophisticated, we will see a rapid convergence between CI/CD compliance scanners (like Plumber) and runtime security tools. The industry will likely standardize on the PBOM format, enabling automated policy enforcement across the entire software lifecycle—from code commit to production deployment. Organizations that fail to adopt these automated, policy-driven controls will face not only increased breach risks but also significant compliance and insurance penalties.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Stephanerobert1 Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky