Open source · CI/CD security
Spot & fix CI/CD security leaks, continuously
The open-source tool that maps your pipelines, detects the leaks attackers look for, and grades your CI/CD security with a Plumber score in seconds.





Why it matters
CI/CD: the blind spot AI is making bigger every day
Unwatched. Under attack. AI-fueled.
AI has industrialized code production. Every line, human or machine, still ships through the one stage nobody watches: your CI/CD pipeline.
How it works
Map. Detect. Fix. Prove.
Continuous CI/CD security, run as one loop, on every pipeline.
Inventory
Discover every pipeline across all your repos.
Find the leaks
Surface exposed secrets, misconfigs and risky actions.
AI remediation
A deterministic AI agent applies the fix, auditable every time.
Get a grade
Ship an audit-ready Plumber Score, A to E.
The Plumber Score
One score. Everyone understands it.
An A to E grade that makes CI/CD security as easy to read as a credit rating.
CLI first, platform when you scale
Start in the terminal. Grow into the dashboard.
include:- component:gitlab.com/components/secret-detection/secret-detection@~mainmutable- component:gitlab.com/components/sast/sast@0.0.1outdated- component:random-gitlab.com/components/dast@1.3.4untrustedinstall-deps:image: node:latestmutablevariables:DAST_DISABLED: "false"overriddenallow_failure: truerules:- when: neverweakenedYour organization's pipelines
across all projects
Plumber Platform
scans every project
Full visibility
track, fix & remediate
Plumber Radar
The state of CI/CD security across open source
A free initiative that continuously scans public GitLab and GitHub projects and scores their CI/CD security, so the whole ecosystem can see where it stands.
- E▼
Critical 4High 9Medium 7Low 2Improve
- D
Critical 1High 5Medium 6Low 3Improve
- C
High 3Medium 4Low 5Improve
- B▲
High 1Medium 2Low 4Improve
- A
Low 3Improve
Pricing
Start free. Scale when you need to.
Up to 10 projects · core CI/CD controls · 7-day history · scheduled scans · community support.
From 10+ projects to unlimited · AI fixes & suggestions · unlimited history · portfolios · dedicated support.
Testimonials
Hear from our customers

Olivier LAVAUX
CISO at Numspot
Numspot requires continuous monitoring of its CI/CD pipeline compliance. Auditability is a critical focus to ensure that pipeline security processes do not deviate over time.

Nicolas PETROUSSENKO
COO at Point Base
We are both a consulting firm and a software publisher. With Plumber, we empower our clients to achieve Security by Design while enabling our developers to build compliant pipelines effortlessly. It transforms compliance from a manual burden into an automated, auditable process.

Yann HILLEREAU
IT Manager at FDI Access
Compliance is not just about the product. We must also prove that the way we build and deliver it is secure.

Steve ALBERT
Head of Operations at Numspot
Numspot's sovereign platform is intentionally designed to incorporate security and compliance as fundamental elements, embedded into every pipeline from day one, providing the level of security and compliance needed to navigate qualifications and certifications with peace of mind.

Lucas Delcroix-Eustache
CTO at Libération
We needed visibility first. Standardization came next. Now our CI/CD pipelines are clear, consistent, and easier to maintain.
Quick Start
Get started in minutes
Set up Plumber in your GitLab CI/CD pipeline or GitHub Actions workflow with just a few simple steps.
Set up Plumber in your repository
Add the Plumber CI component to your GitLab pipeline or the Plumber Action to your GitHub workflow, then configure controls: registries, action pinning, branch protection.
Run your CI/CD pipeline
Plumber runs as part of your pipeline and scans your CI configuration and job or workflow definitions.
Get your compliance report
View results in the job output or download the report artifact for audit and remediation.
FAQ
Frequently asked questions
What is Plumber?
What is the Plumber Score?
What security issues does Plumber detect?
How does Plumber fix the issues it finds?
What is the difference between the open-source CLI and the Plumber Platform?
Does Plumber help with security regulations like NIS2 and DORA?
How do I get started?
## Security scanning