Usage of the force parameter disabling signature validation allowed
Description
This policy detects whether the force parameter is used with the Ansible apt module. The force parameter can override important safety mechanisms in package management. Allowing its usage can potentially result in the installation of packages without signature validation or enable package downgrades, potentially compromising system integrity and stability.
Code Example
yaml
- name: Example
hosts: all
gather_facts: False
tasks:
- name: Avoid using force with apt
ansible.builtin.apt:
name: nginx
state: latest
- force: yes
+ force: noRemediation
Ansible
- Module: ansible.builtin.apt or apt
- Attribute: force
To mitigate this risk, it is crucial to avoid using the force parameter in your apt modules. If absolutely necessary, set the force parameter to false to avoid bypassing essential safety checks.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0047 |
| Severity | LOW |
| IaC Type | Ansible |
| Frameworks | Ansible |
| Checkov ID | CKV_ANSIBLE_6 |