turbot/github_compliance

Control: 3.1.7 Ensure dependencies are pinned to a specific, verified version

Description

Pin dependencies to a specific version. Avoid using the "latest" tag or broad version.

Rationale

When using a wildcard version of a package, or the "latest" tag, the risk of encountering a new, potentially malicious package increases. The "latest" tag pulls the last package pushed to the registry. This means that if an attacker pushes a new, malicious package successfully to the registry, the next user who pulls the "latest" will pull it and risk attack. This same rule applies to a wildcard version. Assuming one is using version v1.*, it will install the latest version of the major version 1, meaning that if an attacker can push a malicious package with that same version, those using it will be subject to possible attack. By using a secure, verified version, use is restricted to this version only and no other may be pulled, decreasing the risk for any malicious package.

Audit

For every dependency in use, ensure it is pinned to a specific version.

Remediation

For every dependency in use, pin to a specific version.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_3_1_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_3_1_7 --share

SQL

This control uses a named query:

default_branch_pipeline_locks_external_dependencies_for_build_process

Tags