Components usage restriction

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem

Since users can include any component domain we need to allow administrators of the platform to restrict the usage of external component either through a deny or allow list

Proposed solution

This POC demonstrates how Pipeline Execution Policies can solve this issue.

Setup

Test Component: I created a validation component at https://gitlab.com/explore/catalog/furkanayhan/test-component

This component validates that only allowlisted components are used in CI configurations.

Example Policy Configuration:

Screenshot_2025-10-23_at_14.50.58

Policy YAML (.gitlab/security-policies/policy.yml)
---
experiments:
  ensure_pipeline_policy_pre_succeeds:
    enabled: true

pipeline_execution_policy:
- name: Component allowlist
  description: Restrict usage of CI/CD components to approved sources only
  enabled: true
  pipeline_config_strategy: inject_policy
  content:
    include:
    - project: gl-demo-ultimate-fayhan/policies
      file: pep2.yml
      ref: main
  skip_ci:
    allowed: false
  variables_override:
    allowed: false
    exceptions: []
approval_policy: []

Policy Pipeline Configuration: https://gitlab.com/gl-demo-ultimate-fayhan/policies/-/blob/cd3291b6a44552f9b9e7d7c2964c2b5a4d068139/pep2.yml

include:
  - component: $CI_SERVER_FQDN/furkanayhan/test-component/validate-components@0.0.2
    inputs:
      stage: .pipeline-policy-pre
      allowlist: "gitlab.com/components/*,gitlab.com/furkanayhan/*"

Test Project: https://gitlab.com/gl-demo-ultimate-fayhan/policy-test-project-1

This project is under the gl-demo-ultimate-fayhan group, which has the policy configured above.


Test Case 1: Allowlisted Components

CI Configuration:

include:
  - component: $CI_SERVER_FQDN/components/secret-detection/secret-detection@2.1.0
  - component: $CI_SERVER_FQDN/components/sast/sast@3.1.0

Results:

Screenshot_2025-10-23_at_14.42.40

Screenshot_2025-10-23_at_14.42.28


Test Case 2: Non-Allowlisted Component

CI Configuration:

include:
  - component: $CI_SERVER_FQDN/components/secret-detection/secret-detection@2.1.0
  - component: $CI_SERVER_FQDN/components/sast/sast@3.1.0
  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@8.0.1

Results:

Screenshot_2025-10-23_at_14.55.22

Screenshot_2025-10-23_at_14.55.39


Summary

This approach demonstrates that Pipeline Execution Policies can effectively enforce component allowlists by:

  • Running validation in the .pipeline-policy-pre stage before any user-defined jobs
  • Blocking pipeline execution when non-allowlisted components are detected
  • Providing clear feedback about which components are not allowed

Future works

If this is an accepted solution, we can improve the component and move it to https://gitlab.com/components.

Edited by 🤖 GitLab Bot 🤖