Skip to content

CircleCI Unversionned Orb

Ensure CircleCI workflows do not use unversionned Orbs such as @volatile or @dev.

When using the @volatile version, the latest version of the Orb is used while the @dev version can be published by anyone in the orgnization that owns the Orb. To ensure deterministic pipeline execution and minimize the risk of including a malicious Orb, it is recommended to use a specific version of the Orb instead.


Insecure Example

version: 2.1

  node: circleci/node@dev
  cli: circleci/circleci-cli@volatile

Secure Example

version: 2.1

  node: circleci/node@5.1.0
  cli: circleci/circleci-cli@0.1.9