{"id":40091036,"url":"https://github.com/getplumber/plumber","last_synced_at":"2026-07-02T09:01:16.228Z","repository":{"id":333434158,"uuid":"1137327132","full_name":"getplumber/plumber","owner":"getplumber","description":"Open source CLI to check compliance of your CI/CD pipelines and repos","archived":false,"fork":false,"pushed_at":"2026-06-25T07:19:21.000Z","size":22114,"stargazers_count":732,"open_issues_count":54,"forks_count":30,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-06-25T08:22:31.142Z","etag":null,"topics":["cicd","compliance","pipeline","security"],"latest_commit_sha":null,"homepage":"https://getplumber.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/getplumber.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-19T08:20:05.000Z","updated_at":"2026-06-25T07:06:54.000Z","dependencies_parsed_at":"2026-01-24T10:02:39.799Z","dependency_job_id":null,"html_url":"https://github.com/getplumber/plumber","commit_stats":null,"previous_names":["getplumber/plumber"],"tags_count":184,"template":false,"template_full_name":null,"purl":"pkg:github/getplumber/plumber","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getplumber%2Fplumber","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getplumber%2Fplumber/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getplumber%2Fplumber/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getplumber%2Fplumber/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/getplumber","download_url":"https://codeload.github.com/getplumber/plumber/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getplumber%2Fplumber/sbom","scorecard":{"id":1244670,"data":{"date":"2026-03-10T12:25:04Z","repo":{"name":"github.com/getplumber/plumber","commit":"a85def0a0fed40129456ee353f20045939af9ee1"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":7.6,"checks":[{"name":"Code-Review","score":1,"reason":"Found 3/27 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:373","Info: jobLevel 'actions' permission set to 'read': .github/workflows/release.yml:396","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:48","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:140","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:188","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:16","Info: found token with 'none' permissions: .github/workflows/release.yml:1","Info: found token with 'none' permissions: .github/workflows/scorecard.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:400: update your workflow using https://app.stepsecurity.io/secureworkflow/getplumber/plumber/release.yml/main?enable=pin","Info:  28 out of  28 GitHub-owned GitHubAction dependencies pinned","Info:  10 out of  11 third-party GitHubAction dependencies pinned","Info:   2 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":8,"reason":"4 out of the last 5 releases have a total of 4 signed artifacts.","details":["Warn: release artifact v0.1.55 not signed: https://api.github.com/repos/getplumber/plumber/releases/293487233","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/getplumber/plumber/releases/tag/v0.1.60","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/getplumber/plumber/releases/tag/v0.1.58","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/getplumber/plumber/releases/tag/v0.1.57","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/getplumber/plumber/releases/tag/v0.1.56","Warn: release artifact v0.1.55 does not have provenance: https://api.github.com/repos/getplumber/plumber/releases/293487233"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:136"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Mozilla Public License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (7) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: configuration/expression_fuzz_test.go:9","Info: GoBuiltInFuzzer integration found: utils/gitremote_fuzz_test.go:9"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"4 out of 4 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: found contributions from: semantic-release"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}}]},"last_synced_at":"2026-03-10T19:18:12.516Z","repository_id":333434158,"created_at":"2026-03-10T19:18:12.517Z","updated_at":"2026-03-10T19:18:12.517Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35040024,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-02T02:00:06.368Z","response_time":173,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","compliance","pipeline","security"],"created_at":"2026-01-19T10:03:42.005Z","updated_at":"2026-07-02T09:01:16.214Z","avatar_url":"https://github.com/getplumber.png","language":"Go","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/plumber.svg\" alt=\"Plumber\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eCI/CD security scanner for GitLab CI and GitHub Actions\u003c/b\u003e\u003cbr/\u003e\n  \u003csub\u003eOne CLI, one \u003ccode\u003e.plumber.yaml\u003c/code\u003e, one Rego policy engine.\u003c/sub\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://score.getplumber.io/github.com/getplumber/plumber\"\u003e\u003cimg src=\"https://score.getplumber.io/github.com/getplumber/plumber.svg\" alt=\"Plumber Score\"\u003e\u003c/a\u003e\n  \u0026nbsp;\u0026nbsp;\n  \u003ca href=\"https://securityscorecards.dev/viewer/?uri=github.com/getplumber/plumber\"\u003e\u003cimg src=\"https://img.shields.io/ossf-scorecard/github.com/getplumber/plumber?label=OpenSSF%20Scorecard\u0026style=for-the-badge\u0026labelColor=2b2d42\u0026color=4a90d9\" alt=\"OpenSSF Scorecard\"\u003e\u003c/a\u003e\n  \u0026nbsp;\u0026nbsp;\n  \u003ca href=\"https://slsa.dev/spec/v1.0/levels#build-l3\"\u003e\u003cimg src=\"https://img.shields.io/badge/SLSA-Level%203-4a90d9?style=for-the-badge\u0026logo=slsa\u0026logoColor=white\u0026labelColor=2b2d42\" alt=\"SLSA 3\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/getplumber/plumber/actions\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/getplumber/plumber/release.yml?label=Build\" alt=\"Build Status\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/getplumber/plumber/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/getplumber/plumber\" alt=\"Latest Release\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/github/go-mod/go-version/getplumber/plumber\" alt=\"Go Version\"\u003e\n  \u003ca href=\"https://github.com/getplumber/plumber/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/downloads/getplumber/plumber/total?label=Downloads\" alt=\"GitHub Downloads\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://hub.docker.com/r/getplumber/plumber\"\u003e\u003cimg src=\"https://img.shields.io/docker/pulls/getplumber/plumber\" alt=\"Docker Pulls\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MPL--2.0-blue\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://getplumber.io\"\u003eWebsite\u003c/a\u003e •\n  \u003ca href=\"https://getplumber.io/docs/cli\"\u003eDocs\u003c/a\u003e •\n  \u003ca href=\"https://discord.gg/932xkSU24f\"\u003eDiscord\u003c/a\u003e •\n  \u003ca href=\"https://github.com/getplumber/plumber/issues\"\u003eIssues\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## What Is Plumber?\n\nPlumber scans CI/CD pipelines for risky patterns and security gaps.\n\n- **GitLab CI:** reads `.gitlab-ci.yml`, resolved includes, and repository settings.\n- **GitHub Actions:** reads `.github/workflows/*.{yml,yaml}` locally or through the GitHub API.\n- **One config:** `.plumber.yaml` contains provider-specific policy sections for GitLab and GitHub.\n\nPlumber reports findings in the terminal, JSON, SARIF, GitLab SAST, PBOM, and CycloneDX formats.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/component.gif\" alt=\"Plumber GitLab CI component running\" width=\"700\"\u003e\n\u003c/p\u003e\n\n## Start Here\n\nRun your first scan before reading the full docs.\n\n```bash\nbrew tap getplumber/plumber\nbrew install plumber\n\nplumber config generate # generates default configuration yaml file\nplumber analyze\n```\n\nSee the generated default config in this repo: [`.plumber.yaml`](./.plumber.yaml).\n\nPlumber auto-detects the provider from your git remote. Use explicit flags when scanning a repo that is not the current checkout.\n\n## Choose Your Path\n\n| I want to... | Use this | Start here |\n|---|---|---|\n| Try Plumber locally | CLI | [`plumber analyze`](#local-cli) |\n| Add checks to GitLab CI | GitLab CI Component | [GitLab CI Component](#gitlab-ci-component) |\n| Add checks to GitHub Actions | GitHub Action | [GitHub Action](#github-action) |\n| Audit many repos from a script | CLI + JSON/SARIF | [Outputs](#outputs) |\n| Tune policy rules | `.plumber.yaml` | [Configuration](#configuration) |\n\n## Local CLI\n\n### Install\n\n```bash\nbrew tap getplumber/plumber\nbrew install plumber\n```\n\nOther options:\n\n- `mise use -g github:getplumber/plumber`\n- Download a binary from [GitHub Releases](https://github.com/getplumber/plumber/releases)\n- Run the Docker image: `getplumber/plumber`\n\nFull install docs:\n\n- GitLab: [getplumber.io/docs/cli/gitlab#run-with-the-gitlab-ci-component](https://getplumber.io/docs/cli/gitlab#run-with-the-gitlab-ci-component)\n- GitHub: [getplumber.io/docs/cli/github#run-with-github-actions](https://getplumber.io/docs/cli/github#run-with-github-actions)\n\n### Authenticate\n\nGitLab:\n\n```bash\nexport GITLAB_TOKEN=glpat_xxxx\n```\n\nGitHub (preferred — uses the gh CLI's keyring):\n\n```bash\ngh auth login\n```\n\nAlternative (CI runners, automation):\n\n```bash\nexport GH_TOKEN=ghp_xxxx\n```\n\nGitHub local scans can run without a token for workflow-content checks. A token enables repo-level and action-metadata checks.\n\nIf a workflow uses an action hosted in an org with an IP allow list (which blocks the runner's `GITHUB_TOKEN`), set `PLUMBER_METADATA_TOKEN` to a token with public-repository read so Plumber can still resolve that action's version for the known-CVE check. Without it, Plumber falls back to an anonymous read and, if that is rate-limited too, skips the version check rather than guessing.\n\n### Run\n\nCurrent repo:\n\n```bash\nplumber analyze\n```\n\nSpecific GitLab project:\n\n```bash\nplumber analyze \\\n  --provider gitlab \\\n  --gitlab-url https://gitlab.com \\\n  --project group/project\n```\n\nSpecific GitHub repo without a local clone:\n\n```bash\nplumber analyze \\\n  --provider github \\\n  --github-url github.com \\\n  --project owner/repo\n```\n\n## GitHub Action\n\n1. Add [the official Plumber action](https://github.com/marketplace/actions/plumber-score) to `.github/workflows/plumber.yml`:\n    ```yaml\n    name: Plumber\n\n    on:\n      pull_request:\n      push:\n        branches: [main]\n\n    permissions:\n      contents: read\n      security-events: write\n      # id-token: write   # uncomment to enable score-push below\n\n    jobs:\n      plumber:\n        runs-on: ubuntu-24.04\n        steps:\n          - uses: actions/checkout@v6\n          - uses: getplumber/plumber@\u003cversion\u003e\n            with:\n              # Set to `true` to publish an official Plumber score badge\n              # (it makes your score and repo name public, see Score Push section below)\n              score-push: false\n    ```\n\n\n\u003e To resolve action versions hosted in an org with an IP allow list, pass a\n\u003e public-repo-read token via the `metadata-token` input (kept in a secret):\n\u003e\n\u003e ```yaml\n\u003e         with:\n\u003e           metadata-token: ${{ secrets.PLUMBER_METADATA_TOKEN }}\n\u003e ```\n\n**Full guide:** [getplumber.io/docs/cli/github#run-with-github-actions](https://getplumber.io/docs/cli/github#run-with-github-actions)\n\n## GitLab CI Component\n\n1. Add [the official Plumber component](https://gitlab.com/explore/catalog/getplumber/plumber) to `.gitlab-ci.yml`:\n    ```yaml\n    include:\n      - component: gitlab.com/getplumber/plumber/plumber@\u003cversion\u003e\n        inputs:\n          # Set to `true` to publish an official Plumber score badge\n          # (it makes your score and repo name public, see Score Push section below)\n          score_push: false\n    ```\n2. Add `GITLAB_TOKEN` in **Settings -\u003e CI/CD -\u003e Variables**.\n    Use `read_api` + `read_repository` for scanning, or `api` if you want Plumber to post MR comments or badges.\n\n**Full guide:** [getplumber.io/docs/cli/gitlab#run-with-the-gitlab-ci-component](https://getplumber.io/docs/cli/gitlab#run-with-the-gitlab-ci-component)\n\n## Score Push\n\nEnabling score push publishes a self-updating `A–E` badge to the hosted score\nservice. It's the only way to get an **official Plumber score**. It's only\navailable in CI, not when running the CLI locally.\n\nDisplay it with a badge in your README (swap in your platform/owner/repo):\n```md\n[![Plumber Score](https://score.getplumber.io/github.com/OWNER/REPO.svg)](https://score.getplumber.io/github.com/OWNER/REPO)\n```\n\n\u003e ⚠️ Opt-in and off by default. Enabling it makes your **score and repository\n\u003e name public**. Only the default branch's score is displayed. See [score\n\u003e docs](https://getplumber.io/docs/plumber-score).\n\n## Configuration\n\nPlumber reads `.plumber.yaml`.\n\nCreate a config interactively:\n\n```bash\nplumber config init\n```\n\nGenerate the full commented [default template](./.plumber.yaml):\n\n```bash\nplumber config generate\n```\n\nExample:\n\n```yaml\nversion: \"2.0\"\n\ngitlab:\n  controls:\n    containerImageMustNotUseForbiddenTags:\n      enabled: true\n\ngithub:\n  controls:\n    actionsMustBePinnedByCommitSha:\n      enabled: true\n      trustedOwners:\n        - actions\n        - github\n```\n\nUseful commands:\n\n```bash\nplumber config validate\nplumber config view\nplumber config diff\nplumber explain ISSUE-411\n```\n\nFull config reference:\n\n- Default config: [`.plumber.yaml`](./.plumber.yaml)\n- CLI docs: [getplumber.io/docs/cli](https://getplumber.io/docs/cli)\n- Issue reference: [getplumber.io/docs/use-plumber/issues](https://getplumber.io/docs/use-plumber/issues)\n\n## Controls\n\nPlumber ships controls for:\n\n- container image pinning and authorized sources\n- branch protection\n- unverified script execution (`curl | bash`, `base64 -d | bash`, etc.)\n- Docker-in-Docker\n- weakened security jobs\n- unsafe variable expansion\n- GitHub action pinning, archived actions, ref confusion, and known CVEs\n- dangerous GitHub triggers and overbroad permissions\n- hardcoded secrets in pipeline YAML (opt-in; shells out to [gitleaks](https://github.com/gitleaks/gitleaks))\n\nFull catalogs:\n\n- GitLab controls: [getplumber.io/docs/use-plumber/controls?p=gitlab](https://getplumber.io/docs/use-plumber/controls?p=gitlab)\n- GitHub controls: [getplumber.io/docs/use-plumber/controls?p=github](https://getplumber.io/docs/use-plumber/controls?p=github)\n\n## Outputs\n\n| Output | Flag | Use it for |\n|---|---|---|\n| Terminal | default | Human review during local or CI runs |\n| JSON | `--output results.json` | Automation and dashboards |\n| SARIF | `--sarif results.sarif` | GitHub Code Scanning and SARIF-compatible tools |\n| GitLab SAST | `--glsast gl-sast-report.json` | GitLab Security Dashboard / MR widget |\n| PBOM | `--pbom pbom.json` | Pipeline inventory |\n| CycloneDX | `--pbom-cyclonedx cdx.json` | SBOM tooling |\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/plumber-output.png\" alt=\"Plumber terminal output\" width=\"700\"\u003e\n\u003c/p\u003e\n\nExample:\n\n```bash\nplumber analyze \\\n  --output results.json \\\n  --sarif results.sarif \\\n  --pbom pbom.json \\\n  --pbom-cyclonedx cdx.json\n```\n\nMore details:\n\n- PBOM docs: [`docs/PBOM.md`](./docs/PBOM.md)\n- Scoring docs: [`docs/scoring.md`](./docs/scoring.md)\n- CLI reference: [getplumber.io/docs/cli](https://getplumber.io/docs/cli)\n\n## Exit Codes\n\n| Code | Meaning |\n|---|---|\n| `0` | The security score is greater than or equal to `--threshold` |\n| `1` | The security score is below `--threshold` |\n| `2` | Invalid usage, configuration, or a runtime / provider / auth / network failure |\n| `3` | A check could not be verified and `--fail-warnings` is set (e.g. an action version that could not be resolved) |\n\n## Self-Hosted GitLab\n\nIf you run a self-hosted GitLab instance, host or mirror the Plumber component inside your instance, publish a release, and include that component URL from your pipelines.\n\nGuide: [getplumber.io/docs/cli/gitlab#hosting-on-self-hosted-gitlab](https://getplumber.io/docs/cli/gitlab#hosting-on-self-hosted-gitlab)\n\n## Troubleshooting\n\n| Problem | What to check |\n|---|---|\n| `GITLAB_TOKEN environment variable is required` | Export `GITLAB_TOKEN` or add it as a CI/CD variable |\n| GitHub upstream scan refuses to start | Set `GH_TOKEN`, `GITHUB_TOKEN`, or run `gh auth login` |\n| No GitHub repo-level findings | Local GitHub scans soft-degrade without token/API scope |\n| Config warnings | Run `plumber config validate` |\n| Need to inspect a finding | Run `plumber explain ISSUE-XXX` |\n\nMore help:\n\n- GitLab guide: [getplumber.io/docs/cli/gitlab](https://getplumber.io/docs/cli/gitlab)\n- GitHub guide: [getplumber.io/docs/cli/github](https://getplumber.io/docs/cli/github)\n- Discord: [discord.gg/932xkSU24f](https://discord.gg/932xkSU24f)\n- Contact: [tech@getplumber.io](mailto:tech@getplumber.io)\n\n## Development\n\nBuild locally:\n\n```bash\nmake build\n```\n\nRun tests:\n\n```bash\nmake test\n```\n\nContributing guide: [`CONTRIBUTING.md`](./CONTRIBUTING.md)\n\n## Resources\n\n- Website: [getplumber.io](https://getplumber.io)\n- Documentation: [getplumber.io/docs/cli](https://getplumber.io/docs/cli)\n- GitHub Action listing: [Plumber Score](https://github.com/marketplace/actions/plumber-score)\n- GitLab component docs: [`COMPONENT_README.md`](./COMPONENT_README.md)\n- Security policy: [`SECURITY.md`](./SECURITY.md)\n\n## License\n\nPlumber is licensed under the [Mozilla Public License 2.0](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetplumber%2Fplumber","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgetplumber%2Fplumber","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetplumber%2Fplumber/lists"}