Skip to content

[RULE] Use pinned script dependencies #3324

New issue
New issue
Open
Feature
Open
[RULE] Use pinned script dependencies#3324
Feature
Labels
pillar: securityAligned to the Security pillar.rule: automation-accountRules for Automation Accountrule: deploymentRule for Azure Resource Manager templates
@BernieWhite

Description

@BernieWhite
BernieWhite
opened on Apr 11, 2025

Existing rule

No response

Suggested rule

When pulling in external files that will be executed such as scripts a pinned URL should be used, to prevent the file at the end of the URL from being maliciously changed latter. (supply chain).

The URL must use a method that prevents the content from being changed. For example, a git branch or tag can be easily changed, and a git commit hash is considered unique (excluding collisions for the key space).

Separate rules should be created for:

  • Automation runbooks
  • Deployment scripts

Initially focus on https://raw.githubusercontent.com/.

For example:

This is not pinned: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/refs/heads/main/scripts/pipeline-deps.ps1

This is pinned to a SHA commit hash: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1

Pillar

Security

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    pillar: securityAligned to the Security pillar.rule: automation-accountRules for Automation Accountrule: deploymentRule for Azure Resource Manager templates

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions