Components usage restriction

Problem

Since users can include any component domain we need to allow administrators of the platform to restrict the usage of external component either through a deny or allow list

Proposed solution

This POC demonstrates how Pipeline Execution Policies can solve this issue.

Setup

Test Component: I created a validation component at https://gitlab.com/explore/catalog/furkanayhan/test-component

This component validates that only allowlisted components are used in CI configurations.

Example Policy Configuration:

Screenshot_2025-10-23_at_14.50.58

Policy YAML (.gitlab/security-policies/policy.yml) 
---
experiments:
  ensure_pipeline_policy_pre_succeeds:
    enabled: true

pipeline_execution_policy:
- name: Component allowlist
  description: Restrict usage of CI/CD components to approved sources only
  enabled: true
  pipeline_config_strategy: inject_policy
  content:
    include:
    - project: gl-demo-ultimate-fayhan/policies
      file: pep2.yml
      ref: main
  skip_ci:
    allowed: false
  variables_override:
    allowed: false
    exceptions: []
approval_policy: []

Policy Pipeline Configuration: https://gitlab.com/gl-demo-ultimate-fayhan/policies/-/blob/cd3291b6a44552f9b9e7d7c2964c2b5a4d068139/pep2.yml

include:
  - component: $CI_SERVER_FQDN/furkanayhan/test-component/validate-components@0.0.2
    inputs:
      stage: .pipeline-policy-pre
      allowlist: "gitlab.com/components/*,gitlab.com/furkanayhan/*"

Test Project: https://gitlab.com/gl-demo-ultimate-fayhan/policy-test-project-1

This project is under the gl-demo-ultimate-fayhan group, which has the policy configured above.

Test Case 1: Allowlisted Components

CI Configuration:

include:
  - component: $CI_SERVER_FQDN/components/secret-detection/secret-detection@2.1.0
  - component: $CI_SERVER_FQDN/components/sast/sast@3.1.0

Results:

Screenshot_2025-10-23_at_14.42.40

Screenshot_2025-10-23_at_14.42.28

Test Case 2: Non-Allowlisted Component

CI Configuration:

include:
  - component: $CI_SERVER_FQDN/components/secret-detection/secret-detection@2.1.0
  - component: $CI_SERVER_FQDN/components/sast/sast@3.1.0
  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@8.0.1

Results:

Screenshot_2025-10-23_at_14.55.22

Screenshot_2025-10-23_at_14.55.39

Summary

This approach demonstrates that Pipeline Execution Policies can effectively enforce component allowlists by:

  • Running validation in the .pipeline-policy-pre stage before any user-defined jobs
  • Blocking pipeline execution when non-allowlisted components are detected
  • Providing clear feedback about which components are not allowed

Future works

If this is an accepted solution, we can improve the component and move it to https://gitlab.com/components.

Edited by 🤖 GitLab Bot 🤖