v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files

Description

Detect and prevent sensitive data, such as confidential ID numbers, passwords, etc., in pipelines.

Rationale

Sensitive data in pipeline configuration, such as cloud provider credentials or repository credentials, create vulnerabilities with which malicious actors could steal such information if they gain access to a pipeline. In order to mitigate this, set scanners that will identify and prevent the existence of sensitive data in the pipeline.

Audit

For every pipeline that is in use, verify that scanners are set to identify and prevent the existence of sensitive data within it.

Remediation

For every pipeline that is in use, set scanners that will identify and prevent sensitive data within it.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_8 --share

SQL

This control uses a named query:

default_branch_pipelines_scanners_set_to_prevent_sensitive_data

Tags

category = Compliance
cis = true
cis_section_id = 2.3
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub