turbot/github_compliance
GitHub
Loading controls...

Control: 2.4.2 Ensure all external dependencies used in the build process are locked

Description

External dependencies may be public packages needed in the pipeline, or perhaps the public image being used for the build worker. Lock these external dependencies in every build pipeline.

Rationale

External dependencies are sources of code that are not under organizational control. They might be intentionally or unintentionally infected with malicious code or have known vulnerabilities, which could result in sensitive data exposure, data harvesting, or the erosion of trust in an organization. Locking each external dependency to a specific, safe version gives more control and less chance for risk.

Audit

Ensure every external dependency being used in pipelines is locked.

Remediation

For all external dependencies being used in pipelines, verify they are locked.

Usage

Run the control in your terminal:

steampipe check github_compliance.control.cis_supply_chain_v100_2_4_2

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share github_compliance.control.cis_supply_chain_v100_2_4_2

SQL

This control uses a named query:

default_branch_pipeline_locks_external_dependencies_for_build_process

Tags