Warn users if a CI config is included without integrity checks
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
The content of included CI configs (i.e. include: group/project/.ci-config.yml) can change unexpectedly if integrity checks are missing. Performing static analysis on CI configs can identify missing integrity checks and surface this risk to users.
Problem Statement
CI config can be included with and without integrity checks, e.g.:
# .gitlab-ci.yml
# without integrity check
include:
- project: 'my-group/my-project'
file: '/templates/.gitlab-ci-template.yml'
# with integrity check
- project: 'my-group/my-project'
ref: 787123b47f14b552955ca2786bc9542ae66fee5b # Git SHA
file: '/templates/.gitlab-ci-template.yml'Currently, GitLab projects may be vulnerable to unauthorized modifications of CI configurations through includes from external projects. Users with access to these external projects can indirectly influence the code executed in protected pipelines of the project without being a project member.
Proposed Solution
By performing static analysis on CI configs we can warn users if an include statement is missing an integrity check. To help the user make an informed decision about accepting the risk of, we could list all the members with write permissions to the included file (e.g. if the file is included from a protected branch, list all maintainers of the project in question).
Here is an example of how this data looks like for gitlab-org/gitlab: there are a number of accounts that can run code on protected branches without being a maintainer in gitlab-org/gitlab.
Analysing CI configs could be part of our existing validation logic for CI configs https://docs.gitlab.com/ee/ci/yaml/lint.html