DOS6058

Runner should not pick up untagged jobs

DOS6058

GitLab organization Severitymedium builtIn

Description

Runners should set RunUntagged = false so that only jobs whose tags match the runner's tag list are dispatched. Allowing a runner to pick up untagged jobs lets any pipeline use it, defeating the workload-isolation strategy that tags are designed to enforce (e.g., separating production deployment runners from build runners). Reference: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#use-tags-to-control-which-jobs-a-runner-can-run

Recommendation

1. In GitLab, navigate to the runner scope and locate the runner whose RunUntagged flag is true. 2. Click Edit and uncheck 'Run untagged jobs'. 3. Add explicit tags that describe the runner's permitted workloads (e.g., 'docker', 'production-deploy'). 4. Update job definitions in .gitlab-ci.yml to include matching tags via the 'tags:' keyword.

Policy Rule

{
  "target": "GLRunner",
  "if": {
    "allOf": [
      {
        "resource": "GLRunner",
        "property": "RunUntagged",
        "operator": "equals",
        "value": false
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6057 DOS6059 »
Rule Details
  • Rule ID: DOS6058
  • Code: GL_Runner_RunUntagged_Should_Be_False
  • Platform: GitLab
  • Category: organization
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2