4.3.4 Ensure webhooks of the package registry are secured

ID

cis_sscs/package_hooks

Severity

high

Category

artifacts/package_registries

Levels

Optional

false

Tags

infrastructure, security, supply-chain

Description

Use secured webhooks of the package registry.

Rationale

Webhooks are used for triggering an HTTP request based on an action made in the platform. Typically, package registries feature webhooks when a package receives an update.

Since webhooks are an HTTP POST request, they can be malformed if not secured over SSL.

In addition, webhooks messages could be protected by a message authentication code (MAC), often using a shared secret between emitter and receiver, so the receiver can verify that the message comes from the appropriate source.

To prevent a potential hack and compromise of the webhook or to the registry or web server excepting the request, use only secured webhooks.

Verification

For each webhook in use, ensure it is secured (HTTPS) and that there is an authentication-of-origin scheme enabled, when available.

Remediation

For each webhook in use, change it to secured (over HTTPS) and that there is an authentication-of-origin scheme enabled.