Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-github-compliance
Overview
2Dashboards
37Benchmarks
33Queries
2Variables
GitHub

Control: 2.4.2 Ensure all external dependencies used in the build process are locked

Description

External dependencies may be public packages needed in the pipeline, or perhaps the public image being used for the build worker. Lock these external dependencies in every build pipeline.

Rationale

External dependencies are sources of code that are not under organizational control. They might be intentionally or unintentionally infected with malicious code or have known vulnerabilities, which could result in sensitive data exposure, data harvesting, or the erosion of trust in an organization. Locking each external dependency to a specific, safe version gives more control and less chance for risk.

Audit

Ensure every external dependency being used in pipelines is locked.

Remediation

For all external dependencies being used in pipelines, verify they are locked.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_2_4_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_4_2 --share

SQL

This control uses a named query:

with repositories as (
  select
    name_with_owner,
    url
  from
    github_my_repository
  order by
    name_with_owner
),
pipelines as (
  select
    name,
    repository_full_name,
    pipeline
  from
    github_workflow
  where
    repository_full_name in (select name_with_owner from repositories)
),
unpinned_task_count as (
  select
    count(*) filter (where step ->> 'type' = 'task' and (step -> 'task' ->> 'version_type')::text != 'commit' ) as unpinned_task_count,
    count(*) filter (where step ->> 'type' = 'task' and (step -> 'task' ->> 'version_type')::text = 'commit' ) as pinned_task_count,
    p.repository_full_name
  from
    pipelines as p,
    jsonb_array_elements(pipeline -> 'jobs') as job,
    jsonb_array_elements(job -> 'steps') as step
  group by
    repository_full_name
)
select
  -- Required Columns
  r.url as resource,
  case
    when u.unpinned_task_count > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when u.unpinned_task_count > 0 then unpinned_task_count::text || ' task(s) are not pinned.'
    when u.repository_full_name is null then 'No build task(s) in the repository.'
    else 'All task(s) are pinned.'
  end as reason,
  -- Additional Dimensions
  r.name_with_owner
from
  repositories as r
  left join unpinned_task_count as u on r.name_with_owner = u.repository_full_name;

Tags

category = Compliance
cis = true
cis_section_id = 2.4
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub