Control: 2.3.1 Ensure all build steps are defined as code
Description
Use pipeline as code for build pipelines and their defined steps.
Rationale
Storing pipeline instructions as code in a version control system means automation of the build steps and less room for human error, which could potentially lead to a security breach Additionally, it creates the ability to revert to a previous pipeline configuration in order to pinpoint the affected change should a malicious incident occur.
Audit
Verify that all build steps are defined as code and stored in a version control system.
Remediation
Convert pipeline instructions into code-based syntax and upload them to the organization's version control platform.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_1 --shareSQL
This control uses a named query:
with repositories as ( select name_with_owner, url from github_my_repository order by name_with_owner),pipelines as ( select name, repository_full_name, pipeline from github_workflow where repository_full_name in (select name_with_owner from repositories)),build_jobs as ( select distinct p.repository_full_name from pipelines as p, jsonb_array_elements(pipeline -> 'jobs') as j where (j -> 'metadata' -> 'build')::bool)select distinct -- Required Columns r.url as resource, case when j.repository_full_name is null then 'alarm' else 'ok' end as status, case when j.repository_full_name is null then 'No build steps are defined as code.' else 'All build steps are defined as code.' end as reason, -- Additional Dimensions r.name_with_ownerfrom repositories as r left join build_jobs as j on r.name_with_owner = j.repository_full_name;