[RULE] Use pinned script dependencies #3324
Labels
pillar: security
Aligned to the Security pillar.
rule: automation-account
Rules for Automation Account
rule: deployment
Rule for Azure Resource Manager templates
Comments
BernieWhite
added
pillar: security
BernieWhite
added
rule: deployment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Existing rule
No response
Suggested rule
When pulling in external files that will be executed such as scripts a pinned URL should be used, to prevent the file at the end of the URL from being maliciously changed latter. (supply chain).
The URL must use a method that prevents the content from being changed. For example, a git branch or tag can be easily changed, and a git commit hash is considered unique (excluding collisions for the key space).
Separate rules should be created for:
Initially focus on
https://raw.githubusercontent.com/.For example:
This is not pinned: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/refs/heads/main/scripts/pipeline-deps.ps1
This is pinned to a SHA commit hash: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1
Pillar
Security
Additional context
No response
The text was updated successfully, but these errors were encountered: