Detecting image usages in azure pipelines workflows
Description
This policy checks for the usage of images in Azure Pipelines workflows. It is essential to monitor image usage to ensure that only approved and trusted images are used, reducing the risk of supply chain attacks and potential security vulnerabilities. By detecting image usage, this rule helps maintain the security and integrity of the pipeline. The rule checks the 'jobs', 'stages.jobs', and 'container' sections of the Azure Pipelines configuration for image references.
Code Example
yaml
jobs:
- job: build
pool:
vmImage: 'ubuntu-latest'
steps:
# Use trusted images, e.g., 'mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine'Remediation
To fix this, ensure that all images used in the Azure Pipelines workflow are trusted and approved. Verify the source and integrity of the images, and consider using image scanning tools to identify potential vulnerabilities.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0818 |
| Severity | MEDIUM |
| IaC Type | Azure Pipelines |
| Frameworks | *.container[], jobs[], stages[].jobs[] |
| Checkov ID | CKV_AZUREPIPELINES_5 |