Control: 2.4.2 Ensure all external dependencies used in the build process are locked
Description
External dependencies may be public packages needed in the pipeline, or perhaps the public image being used for the build worker. Lock these external dependencies in every build pipeline.
Rationale
External dependencies are sources of code that are not under organizational control. They might be intentionally or unintentionally infected with malicious code or have known vulnerabilities, which could result in sensitive data exposure, data harvesting, or the erosion of trust in an organization. Locking each external dependency to a specific, safe version gives more control and less chance for risk.
Audit
Ensure every external dependency being used in pipelines is locked.
Remediation
For all external dependencies being used in pipelines, verify they are locked.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_4_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_2_4_2 --shareSQL
This control uses a named query:
default_branch_pipeline_locks_external_dependencies_for_build_process