DOS6057

Project-scoped runner should be locked to the project

DOS6057

GitLab organization Severityhigh builtIn

Description

Project-scoped runners should have Locked = true so they cannot be reassigned to additional projects without re-registration. An unlocked project runner can be enabled for unrelated projects from the runner's edit page, breaking the implicit trust boundary that the project owner relies on. This is especially important for runners with privileged executors (shell, docker-privileged) that should never service untrusted workloads. Reference: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#prevent-runners-from-revealing-sensitive-information

Recommendation

1. In GitLab, navigate to the project: Settings > CI/CD > Runners. 2. Find the runner whose Locked flag is false. 3. Click Edit and check 'Lock to current projects'. 4. Save changes. Note: this rule targets project-scoped runners; instance and group runners are evaluated by their own access policies.

Policy Rule

{
  "target": "GLRunner",
  "if": {
    "allOf": [
      {
        "resource": "GLRunner",
        "property": "Locked",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6056 DOS6058 »
Rule Details
  • Rule ID: DOS6057
  • Code: GL_Runner_Locked_Should_Be_True
  • Platform: GitLab
  • Category: organization
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2