Control: 2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files
Description
Detect and prevent sensitive data, such as confidential ID numbers, passwords, etc., in pipelines.
Rationale
Sensitive data in pipeline configuration, such as cloud provider credentials or repository credentials, create vulnerabilities with which malicious actors could steal such information if they gain access to a pipeline. In order to mitigate this, set scanners that will identify and prevent the existence of sensitive data in the pipeline.
Audit
For every pipeline that is in use, verify that scanners are set to identify and prevent the existence of sensitive data within it.
Remediation
For every pipeline that is in use, set scanners that will identify and prevent sensitive data within it.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_8 --shareSQL
This control uses a named query:
default_branch_pipelines_scanners_set_to_prevent_sensitive_data