Benchmark: 2.3 Pipeline Instructions
Overview
This section consists of security recommendations for pipeline instructions and commands.
Pipeline instructions are dedicated to taking raw files of source code and running a series of tasks on them to achieve some final artifact as output. They are most of the time written by third-party developers so they should be treated carefully and can also be vulnerable to attack in certain situations. Pipeline instructions files are considered very sensitive, and it is important to secure all their aspects - instructions, access, etc.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-github-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 2.3 Pipeline Instructions.
Run this benchmark in your terminal:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_2_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_2_3 --shareControls
- 2.3.1 Ensure all build steps are defined as code
- 2.3.5 Ensure access to build process triggering is minimized
- 2.3.7 Ensure pipelines are automatically scanned for vulnerabilities
- 2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files