Insufficient flow control mechanisms occur when CI/CD pipelines lack restrictions on how data, artefacts, and jobs flow between stages or components. Without strong boundaries and policies, adversaries can manipulate the flow to introduce malicious artefacts, trigger unauthorised jobs, or exfiltrate sensitive data. This risk often manifests as pipelines that allow unreviewed changes to flow directly into production, workflows that execute without approval gates, or jobs that share unprotected workspaces and artefacts across stages.

Examples include:

• Direct promotion of build artefacts to production without integrity checks or manual approval.
• Pipelines that allow arbitrary job chaining or dynamic execution of unverified jobs.
• Unrestricted movement of secrets, logs, or build artefacts between jobs, enabling exfiltration or tampering.

Remediation

• Enforce pipeline stage isolation: separate build, test, and deploy stages with clear boundaries.
• Implement mandatory approval gates for production deployments (e.g., code review, signed artefacts, or human approval workflows).
• Use immutable artefacts and enforce cryptographic validation between pipeline stages.
• Prevent dynamic or ad-hoc job chaining; define all jobs explicitly and require approval for changes to pipeline definitions.
• Restrict data flows by applying least-privilege principles to artefacts, secrets, and logs.
• Continuously monitor and audit pipeline flows to detect unexpected job execution or data transfers.