Examples¶
Sample policies for common GitLab CI/CD compliance checks. Full files are in the
repository under
examples/example-policies/security/.
Quick start¶
Compliance
cp -r examples/example-policies/security/ policies/
gitlab-compliance check -f policies/ -p .gitlab-ci.yml
Documentation
gitlab-compliance generate -i .gitlab-ci.yml --format swagger-markdown -o pipeline-reference.md
See GitLab Docs output example for sample generate output.
Policy index¶
- Image pinning: Floating
latesttags - Image Pinning
- Component pinning: Unpinned
@maincomponents - Component Pinning
- Fragment pinning: Unpinned template
ref: - Fragment Pinning
- Include versions: Invalid semver or outdated refs
- Include Versions
- Service pinning: Unversioned service images
- Service Pinning
- Execution policy: Jobs without
rules:or weak guards - Execution Policy
- Template extends: Jobs bypassing org templates
- Template Extends
- API hardening: Public logs, unmasked variables
- API Hardening
- Advanced scenarios: Scenario Outline matrices (variables, component inputs)
- Advanced scenarios
- OCI policy packs: Central policy distribution
- OCI Policy Packs
Consumption patterns¶
- Local copy: Single project, quick start
cp -r examples/example-policies/security/ policies/security/- Shared CI jobs: Reuse job templates across projects
example-ci/compliance-jobs.yml- GitHub Actions: pip or container compliance jobs
example-github-actions/include:from central repo: Versioned policy + job distribution- GitLab CI/CD
- OCI registry: Immutable policy bundles
- OCI Policy Packs
- Pipeline Execution Policy: Org-wide injection (GitLab security policies)
- Pipeline Execution Policy
Shared job templates:
.compliance:offline: YAML-only policies (image pinning, execution policy, extends).compliance:api: API hardening, strict mode.compliance:codequality: GitLab Code Quality MR report.compliance:oci: Policies from OCI registry
Rollout strategy¶
- Warn-only — run in CI with
allow_failure: true - Block — remove
allow_failureonce baselines are fixed - Central policies — version policies in a security repo or OCI registry
- Org-wide — inject compliance via Pipeline Execution Policy
See Using in CI/CD for pipeline integration.