Benchmark: 3.2 Validate Packages
Overview
This section consists of security recommendations for managing package validations and checks. Third-party packages and dependencies might put the organization in danger, not only by being vulnerable to attacks, but also by being improperly used and harming license conditions. To protect the software supply chain from these dangers, it is important to validate packages and understand how and if to use them. This section’s recommendations cover this topic.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-github-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3.2 Validate Packages.
Run this benchmark in your terminal:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_3_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_3_2 --shareControls
- 3.2.2 Ensure packages are automatically scanned for known vulnerabilities
- 3.2.3 Ensure packages are automatically scanned for license implications