Components usage restriction
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem
Since users can include any component domain we need to allow administrators of the platform to restrict the usage of external component either through a deny or allow list
Proposed solution
This POC demonstrates how Pipeline Execution Policies can solve this issue.
Setup
Test Component: I created a validation component at https://gitlab.com/explore/catalog/furkanayhan/test-component
This component validates that only allowlisted components are used in CI configurations.
Example Policy Configuration:
Policy YAML (.gitlab/security-policies/policy.yml)
---
experiments:
ensure_pipeline_policy_pre_succeeds:
enabled: true
pipeline_execution_policy:
- name: Component allowlist
description: Restrict usage of CI/CD components to approved sources only
enabled: true
pipeline_config_strategy: inject_policy
content:
include:
- project: gl-demo-ultimate-fayhan/policies
file: pep2.yml
ref: main
skip_ci:
allowed: false
variables_override:
allowed: false
exceptions: []
approval_policy: []Policy Pipeline Configuration: https://gitlab.com/gl-demo-ultimate-fayhan/policies/-/blob/cd3291b6a44552f9b9e7d7c2964c2b5a4d068139/pep2.yml
include:
- component: $CI_SERVER_FQDN/furkanayhan/test-component/validate-components@0.0.2
inputs:
stage: .pipeline-policy-pre
allowlist: "gitlab.com/components/*,gitlab.com/furkanayhan/*"Test Project: https://gitlab.com/gl-demo-ultimate-fayhan/policy-test-project-1
This project is under the gl-demo-ultimate-fayhan group, which has the policy configured above.
Test Case 1: Allowlisted Components ✅
CI Configuration:
include:
- component: $CI_SERVER_FQDN/components/secret-detection/secret-detection@2.1.0
- component: $CI_SERVER_FQDN/components/sast/sast@3.1.0Results:
Test Case 2: Non-Allowlisted Component ❌
CI Configuration:
include:
- component: $CI_SERVER_FQDN/components/secret-detection/secret-detection@2.1.0
- component: $CI_SERVER_FQDN/components/sast/sast@3.1.0
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@8.0.1Results:
Summary
This approach demonstrates that Pipeline Execution Policies can effectively enforce component allowlists by:
- Running validation in the
.pipeline-policy-prestage before any user-defined jobs - Blocking pipeline execution when non-allowlisted components are detected
- Providing clear feedback about which components are not allowed
Future works
If this is an accepted solution, we can improve the component and move it to https://gitlab.com/components.




