PSRule.Rules.Azure icon indicating copy to clipboard operation
PSRule.Rules.Azure copied to clipboard

Published 20 hours ago verified publisher icon Azure

[RULE] Use pinned script dependencies

Open BernieWhite opened this issue 6 months ago • 0 comments

Existing rule

No response

Suggested rule

When pulling in external files that will be executed such as scripts a pinned URL should be used, to prevent the file at the end of the URL from being maliciously changed latter. (supply chain).

The URL must use a method that prevents the content from being changed. For example, a git branch or tag can be easily changed, and a git commit hash is considered unique (excluding collisions for the key space).

Separate rules should be created for:

  • Automation runbooks
  • Deployment scripts

Initially focus on https://raw.githubusercontent.com/.

For example:

This is not pinned: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/refs/heads/main/scripts/pipeline-deps.ps1

This is pinned to a SHA commit hash: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1

Pillar

Security

Additional context

No response

BernieWhite avatar Apr 11 '25 03:04 BernieWhite