v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 2.3.7 Ensure pipelines are automatically scanned for vulnerabilities

Description

Scan pipelines for vulnerabilities. It is recommended that this be implemented automatically.

Rationale

Automatic scanning for vulnerabilities detects known vulnerabilities in pipeline instructions and components, allowing faster patching in case one is found. These vulnerabilities can lead to a potentially massive breach if not handled as fast as possible, as attackers might also be aware of such vulnerabilities.

Audit

For each pipeline, verify that it is automatically scanned for vulnerabilities.

Remediation

For each pipeline, set automated vulnerability scanning.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_7 --share

SQL

This control uses a named query:

default_branch_pipelines_scan_for_vulnerabilities

Tags

category = Compliance
cis = true
cis_section_id = 2.3
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub