2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files

ID

cis_sscs/secrets_scan

Severity

low

Category

build_pipelines/pipeline_instructions

Levels

Optional

true

Tags

secrets-scanner, security, slsa-4, supply-chain

Description

Detect and prevent sensitive data, such as confidential ID numbers, passwords, etc., in pipelines. You can configure tools or run commands to check for workflows uses tools to verify this. The parameter are tools and commands.

Rationale

Sensitive data in pipeline configuration, such as cloud provider credentials or repository credentials, create vulnerabilities with which malicious actors could steal such information if they gain access to a pipeline. In order to mitigate this, set scanners that will identify and prevent the existence of sensitive data in the pipeline.

Verification

For every pipeline that is in use, verify that scanners are set to identify and prevent the existence of sensitive data within it.

Remediation

For every pipeline that is in use, set scanners that will identify and prevent sensitive data within it.