2.4.2 Ensure all external dependencies used in the build process are locked

External dependencies may be public packages needed in the pipeline, or perhaps the public image being used for the build worker. Lock these external dependencies in every build pipeline.

External dependencies are sources of code that aren’t under organizational control. They might be intentionally or unintentionally infected with malicious code or have known vulnerabilities which could result in sensitive data exposure, data harvesting, or the erosion of trust in an organization.

Locking each external dependency to a specific, safe version gives more control and less chance for risk.

In particular, tasks in pipelines often refer to external software with is often tagged with version numbers. Unless you trust the creator of the task, it is good practice to pin tasks to a full-length commit SHA. Please read using third-party actions for the specific case of GitHub.

Ensure every external dependency (known as 'tasks' or 'actions') being used in pipelines is locked.

For all external dependencies being used in pipelines, verify they are locked.

The detector has a property skipVerifiedCreators which is enabled by default. When enabled, it discards unpinned dependencies from trusted/ verified/ certified creators. Such info is request from the CI/ CD systems on each analysis.