u/Predictor_2718

I built a CLI tool called glsec that statically analyzes .gitlab-ci.yml files for security misconfigurations. Think of zizmor or actionlint, but for GitLab CI.

It catches things like:

• Script injection via user-controlled variables (e.g. $CI_COMMIT_MESSAGE)
• Mutable or unpinned image tags (e.g. image: node:latest)
• Hardcoded secrets in variables
• curl | bash in script blocks - remote code execution without integrity check

It maps findings to OWASP CI/CD Security Risks.

Still early days, but already 50 rules and growing. I'd love feedback on what you're seeing in the wild and contributions are very welcome if you want to add rules or improve coverage.

Are there other tools you use for CI/CD pipeline security that I should know about?