Ensure unversioned volatile orbs are not used.
Description
This policy checks for the usage of unversioned volatile orbs in CircleCI pipelines. Volatile orbs can introduce security risks as they can change without notice, potentially breaking the build or introducing vulnerabilities. It's essential to use versioned orbs to ensure the stability and security of the pipeline. By using versioned orbs, you can ensure that any changes to the orb are explicitly approved and tested, reducing the risk of unexpected behavior or security issues.
Code Example
yaml
orbs:
my-orb: circleci/[email protected]Remediation
To fix this issue, update the orb to use a specific version instead of relying on the volatile version. This can be done by specifying the version number in the orb reference.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0825 |
| Severity | MEDIUM |
| IaC Type | circleci_pipelines |
| Frameworks | orbs. |
| Checkov ID | CKV_CIRCLECIPIPELINES_4 |