Gitlab CI/CD Pipeline Script Security

Reference: https://about.gitlab.com/blog/2019/06/20/announcing-gitlab-devsecops/

How can/does Gitlab CI/CD product ensure that the pipeline script - https://docs.gitlab.com/ee/ci/yaml/README.html#script cannot be used as a security breach to execute anything on the (runner's) shell. Is there a traceable, and controllable whitelisting script (or other) policy control mechanism available for auditable compliance in the case of pipeline use in heavily regulated security-first-mindset industries?