CircleCI Unversionned Orb¶
Ensure CircleCI workflows do not use unversionned Orbs such as @volatile
or @dev
.
When using the @volatile
version, the latest version of the Orb is used while the @dev
version can be published by anyone in the orgnization that owns the Orb. To ensure deterministic pipeline execution and minimize the risk of including a malicious Orb, it is recommended to use a specific version of the Orb instead.
Examples¶
Insecure Example
version: 2.1
orbs:
node: circleci/node@dev
cli: circleci/circleci-cli@volatile
Secure Example
version: 2.1
orbs:
node: circleci/node@5.1.0
cli: circleci/circleci-cli@0.1.9