Do not use the latest checkout

ID

latest_checkout

Severity

high

Vendor

Ansible

Resource

General Security

Tags

reachable

Description

Checks if the checkout is not done with the latest version. If you use the latest version the result could generate different results based on context.

Learn more about this topic at Ansible latest checkout.

Examples

---
- name: Example for `latest` rule
  hosts: localhost
  tasks:
    - name: Risky use of git module
      ansible.builtin.git:
        repo: "https://foosball.example.org/path/to/repo.git"
        version: HEAD # <-- Latest version

Mitigation / Fix

---
- name: Example for `latest` rule
  hosts: localhost
  tasks:
    - name: Safe use of git module
      ansible.builtin.git:
        repo: "https://foosball.example.org/path/to/repo.git"
        version: abcd1234... # <-- that is safe
---
- name: Example for `latest` rule
  hosts: localhost
  tasks:
    - name: Safe use of git module
      ansible.builtin.git:
        repo: "https://foosball.example.org/path/to/repo.git"
        version: release-0.22 # <-- that is safe