Ensure all external dependencies used in the build process are locked

External dependencies may be public packages needed in the pipeline, or perhaps the public image being used for the build worker. Lock these external dependencies in every build pipeline.

External dependencies are sources of code that aren’t under organizational control. They might be intentionally or unintentionally infected with malicious code or have known vulnerabilities which could result in sensitive data exposure, data harvesting, or the erosion of trust in an organization.

Locking each external dependency to a specific, safe version gives more control and less chance for risk.

In particular, tasks in pipelines often refer to external software which is often tagged with version numbers. Unless you trust the creator of the task, it is good practice to pin tasks to a full-length commit SHA. Please read using third-party actions for the specific case of GitHub.

This detector helps to ensure that every external dependency (known as 'tasks' or 'actions') being used in pipelines is locked.

Read Why you should pin your GitHub Actions by commit-hash for further information.

For all external dependencies being used in pipelines, verify they are locked.

A promising open source tool for securing CI/CD workflows with version pinning is ratchet, that pins a pipeline file for different CI/CD systems.

The detector has a property skipVerifiedCreators which is enabled by default. When enabled, it discards unpinned dependencies from trusted/ verified/ certified creators. Such info is request from the CI/ CD systems on each analysis.