Listen to this Post
Introduction:
Modern CI/CD pipelines have become prime targets for supply chain attacks, yet most organizations never scan their pipeline configurations for security gaps. Plumber Radar, created by the team at Plumber, is an online tool that assesses the health of your GitLab and GitHub CI/CD pipelines, providing a “Plumber Score” that reveals hidden compliance gaps and configuration drift before attackers exploit them.
Learning Objectives:
– Master the Plumber Radar online assessment to identify critical compliance gaps in your CI/CD pipelines
– Execute hands-on pipeline hardening techniques using Linux and Windows commands to remediate detected vulnerabilities
– Integrate automated compliance scanning into your DevSecOps workflow to prevent configuration drift
You Should Know:
1. Plumber Radar: Instant Pipeline Health Assessment
Start with an extended version of what the post is saying: The LinkedIn post highlights a powerful online tool called Plumber Radar that evaluates the security posture of your CI/CD pipelines on GitLab and GitHub. This tool provides a comprehensive “Plumber Score” within 5–10 minutes, enabling teams to identify misconfigurations, mutable tags, unprotected branches, and missing security templates that accumulate over time.
Plumber Radar is based on the open-source Plumber CLI, which scans your `.gitlab-ci.yml` and repository settings via the GitLab API, performing up to 14 security checks that cover common configuration errors. The online version makes this enterprise-grade scanning accessible without local installation.
Step-by-step guide explaining what this does and how to use it:
1. Access the Plumber Radar online tool — Navigate to the provided URL (https://lnkd.in/eTJAh_3h) and grant necessary permissions for your GitLab or GitHub account
2. Authenticate with your CI/CD provider — The tool requires API access with `read_api` and `read_repository` scopes to analyze your pipeline configuration
3. Initiate the scan — Click the “Start Scan” button; the tool will analyze your pipeline YAML, branch protection settings, and container image configurations
4. Review your Plumber Score — Within 5–10 minutes, receive a detailed compliance report showing passed/failed controls, similar to this terminal output:
Analyzing project: mygroup/my-api Branch: main Config: .plumber.yaml CONTROLS ✓ containerImageMustNotUseForbiddenTags ✗ containerImageMustComeFromAuthorizedSources • job "build": image "node:18" is not from an authorized registry ✓ branchMustBeProtected ✗ pipelineMustNotIncludeHardcodedJobs • job "lint" is hardcoded and not sourced from an include or component ✗ includesMustNotUseForbiddenVersions • include "gitlab.com/myorg/templates/security@main" uses forbidden version "main" SUMMARY Controls passed: 5 / 8 Compliance score: 62% Threshold: 100% Status: FAILED Report written to: plumber-report.json
5. Export findings — Download the JSON report for audit trails or integrate into compliance dashboards
2. Remediating Mutable Container Image Tags
One of the most common violations detected by Plumber is the use of mutable tags like `latest`, `dev`, `main`, or `master` in container images. These tags can change over time, leading to unpredictable builds and potential supply chain attacks where a malicious image replaces a legitimate one without changing the tag reference.
Step-by-step guide explaining what this does and how to use it:
For Docker/Podman (Linux):
List all images in your current directory's docker-compose.yml
grep -E "image:.:latest" docker-compose.yml
Replace mutable tags with immutable digests
Before: image: myapp:latest
After: image: myapp@sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
Pin images using digest
docker pull myapp:latest
docker inspect myapp:latest --format='{{index .RepoDigests 0}}'
For Windows PowerShell:
Find all mutable tags in YAML files
Get-ChildItem -Recurse -Filter .yml | Select-String -Pattern "image:.:(latest|dev|main|master)"
Extract digests from Windows containers
docker inspect --format='{{index .RepoDigests 0}}' myapp:latest
Configuration in .plumber.yaml to enforce digest pinning:
controls: containerImageMustNotUseForbiddenTags: enabled: true severity: critical forbidden_tags: - latest - dev - main - master allowed_registries: - docker.io/myorg - gcr.io/myproject
3. Hardening Branch Protection and Access Controls
Plumber detects when critical branches lack proper protection settings, allowing force pushes or bypassing merge request approvals. This creates a significant supply chain risk where malicious code can be injected directly into production branches.
Step-by-step guide explaining what this does and how to use it:
GitLab branch protection via API (Linux/macOS):
Set branch protection for main branch curl --request PUT --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \ "https://gitlab.com/api/v4/projects/<PROJECT_ID>/protected_branches/main" \ --data "allowed_to_push[]=maintainers" \ --data "allowed_to_merge[]=maintainers" \ --data "code_owner_approval_required=true" \ --data "block_force_push=true" Verify protection status curl --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \ "https://gitlab.com/api/v4/projects/<PROJECT_ID>/protected_branches"
GitHub branch protection (using gh CLI):
Install GitHub CLI if not already installed
brew install gh
Set branch protection rule
gh api repos/:owner/:repo/branches/main/protection \
--method PUT \
--field "required_status_checks={\"strict\":true,\"contexts\":[\"CI\"]}" \
--field "enforce_admins=true" \
--field "required_pull_request_reviews={\"required_approving_review_count\":2}" \
--field "restrictions=null" \
--field "allow_force_pushes=false"
Windows PowerShell equivalent:
$headers = @{ "PRIVATE-TOKEN" = $env:GITLAB_TOKEN }
$body = @{
allowed_to_push = @("maintainers")
allowed_to_merge = @("maintainers")
code_owner_approval_required = $true
block_force_push = $true
} | ConvertTo-Json
Invoke-RestMethod -Method Put -Uri "https://gitlab.com/api/v4/projects/$PROJECT_ID/protected_branches/main" -Headers $headers -Body $body -ContentType "application/json"
4. Eliminating Hardcoded Secrets and CI/CD Token Exposure
Exposed CI/CD tokens account for 32% of all secrets leaked in public repositories, with a median 94-day window before remediation. Plumber detects hardcoded variables and unsafe variable expansion patterns that could leak sensitive credentials.
Step-by-step guide explaining what this does and how to use it:
Implement secret scanning with Trivy in your CI/CD pipeline:
Create a `.gitlab-ci.yml` stage for secret detection:
stages: - security-scan secret-scan: stage: security-scan script: Install trivy - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin Scan for secrets and misconfigurations - trivy config --severity HIGH,CRITICAL --exit-code 1 . only: - merge_requests - main
Linux command to scan Git history for leaked secrets:
Use truffleHog to scan entire Git history
git clone https://github.com/trufflesecurity/truffleHog.git
trufflehog git file://$(pwd) --json --only-verified > secrets_findings.json
Search for common token patterns in pipeline files
grep -rE "(glpat-|github_pat_|AKIA[0-9A-Z]{16})" .gitlab-ci.yml .github/workflows/
Windows PowerShell secret detection:
Search for GitLab personal access tokens in repository
Select-String -Path ".\.gitlab-ci.yml", ".\.github\workflows\.yml" -Pattern "glpat-[a-zA-Z0-9_-]{20,}"
Scan for AWS keys
Select-String -Path ".\\.yml" -Pattern "AKIA[0-9A-Z]{16}"
Configure GitLab masked variables (always use these instead of hardcoded values):
Go to Settings → CI/CD → Variables → Add Variable → Check “Mask variable” to prevent exposure in job logs.
5. Validating Include and Component Integrity
Plumber detects when pipelines use mutable include references (e.g., `@main`, `@latest`) or skip required templates entirely, creating vulnerabilities where upstream changes can silently compromise your pipeline.
Step-by-step guide explaining what this does and how to use it:
Pin includes to specific commit SHA (most secure):
Instead of: include: - project: 'myorg/security-templates' ref: main file: '/sast.yml' Use pinned commit SHA: include: - project: 'myorg/security-templates' ref: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 file: '/sast.yml'
Automated script to pin all includes (Linux/bash):
!/bin/bash Extract all include references from .gitlab-ci.yml grep -E "^ - project:.ref:" .gitlab-ci.yml | while read line; do PROJECT=$(echo $line | sed -1 's/.project: '\''\(.\)'\''./\1/p') REF=$(echo $line | sed -1 's/.ref: \([^ ]\)./\1/p') Resolve commit SHA for the reference if [[ $REF != "HEAD" && $REF != "main" && $REF != "master" ]]; then SHA=$(git ls-remote https://gitlab.com/$PROJECT.git $REF | cut -f1) echo "Pin $PROJECT@$REF to $SHA" Update YAML with SHA sed -i "s/ref: $REF/ref: $SHA/g" .gitlab-ci.yml fi done
Enforce include integrity using .plumber.yaml:
controls: includesMustNotUseForbiddenVersions: enabled: true severity: high forbidden_versions: - latest - main - master - HEAD - dev includesMustBeUpToDate: enabled: true max_age_days: 30
What Undercode Say:
– Pipeline Bill of Materials (PBOM) changes the game — Plumber’s ability to export a CycloneDX SBOM specifically for CI/CD creates unprecedented visibility into every container image, component, and remote template your pipeline touches. This makes supply chain auditing not just possible but automated.
– Configuration drift kills trust — The silent accumulation of security baseline drift in CI/CD pipelines is more dangerous than any single vulnerability because it erodes trust gradually. Plumber’s continuous scanning catches the moment a branch protection disappears or an image tag becomes mutable.
– Shift-left compliance wins — The 14 controls embedded in Plumber represent exactly the kind of low-friction, high-impact scanning that belongs in every merge request. When compliance checks run automatically on every push, teams can’t bypass them, and security becomes invisible instead of adversarial.
Expected Output:
Prediction:
– +1 Enterprise adoption of PBOM scanning will become mandatory for SOC2 Type II and ISO 27001:2025 compliance by late 2026, with auditors requiring pipeline material inventories alongside SBOMs
– +1 CI/CD configuration as code will merge with policy as code, where `.plumber.yaml` files serve as single sources of truth across hundreds of repositories, enforced by central GitOps workflows
– -1 Organizations failing to implement automated pipeline compliance scanning will suffer a major supply chain breach in 2026–2027, with attackers targeting unprotected mutable tags and unprotected branches as primary vectors
– +1 GitHub Actions support in Plumber expands the tool’s reach to over 100 million repositories, making enterprise-grade pipeline security accessible to startups and solo developers at zero cost
– -1 The median 94-day window for CI/CD secret remediation will persist through 2026 unless organizations mandate vault-backed, short-lived tokens instead of static personal access tokens
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Laurent Minne](https://www.linkedin.com/posts/laurent-minne_security-cybersecurity-opensource-share-7469281006643089408-l0SF/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
