Benchmark: 2.4 Pipeline Integrity
Overview
This section consists of security recommendations for keeping pipeline integrity.
Integrity means ensuring that the pipelines, the dependencies they use, and their artifacts are all authentic and what they intended to be. Securing the pipeline integrity is to verify that every change and process running during the build pipeline run is what it is supposed to be. One way to do that, for example, is to lock each dependency to a certain secured version. It is important to insist on securing that because this is the way to set trust with the customer.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-github-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 2.4 Pipeline Integrity.
Run this benchmark in your terminal:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_2_4Snapshot and share results via Turbot Pipes:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_2_4 --shareControls
- 2.4.2 Ensure all external dependencies used in the build process are locked
- 2.4.6 Ensure pipeline steps sign the SBOM produced