Unsecured Communication

ID

unsecured_communication

Severity

critical

Family

CI/ CD tools

Tags

asvs50-v12.1.1, asvs50-v13.1.1, cicd-sec-02, cicd-security, infrastructure, reachable, security, spvs10-v1.4.4, spvs10-v4.3.3, supply-chain

Description

This detector reports usage of non secure HTTP protocol or unsecure certificate for any CI-CD tools running on-premise.

Security

Jenkins servers handle very sensitive data like secrets or credentials that should be hidden from curious or attackers when transmitting.

Mitigation / Fix

In order to comply with this check, it’s required to configure URL of the CICD tool controller server to use HTTPS protocol and trusted certificate.