Control: 2.4.2 Ensure all external dependencies used in the build process are locked
External dependencies may be public packages needed in the pipeline, or perhaps the public image being used for the build worker. Lock these external dependencies in every build pipeline.
External dependencies are sources of code that are not under organizational control. They might be intentionally or unintentionally infected with malicious code or have known vulnerabilities, which could result in sensitive data exposure, data harvesting, or the erosion of trust in an organization. Locking each external dependency to a specific, safe version gives more control and less chance for risk.
Ensure every external dependency being used in pipelines is locked.
For all external dependencies being used in pipelines, verify they are locked.
Run the control in your terminal:
steampipe check github_compliance.control.cis_supply_chain_v100_2_4_2
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share github_compliance.control.cis_supply_chain_v100_2_4_2
This control uses a named query:default_branch_pipeline_locks_external_dependencies_for_build_process