Skip to content

Semgrep yaml rules

pipeline_generic_npm_unpinned

Summary:

Install of unpinned npm package in CI/CD pipeline.

Severity: High

CWE: CWE-829

Description:

At least one unpinned NPM dependency is install in CI/CD pipeline script. Upon the CI/CD pipeline script execution the latest and potentially unsafe / malicious version of the dependency will be installed.

The following instruction is considered unsafe: $VALUE

Remediation:

Ensure that the installed dependency is required for the CI/CD pipeline execution. If its required, modify you CI/CD script to ensure that any installed dependency have its version pinned.

OWASP:

  • A08:2021-Software and Data Integrity Failures

pipeline_generic_pip_unpinned

Summary:

Install of unpinned pip package in CI/CD pipeline.

Severity: High

CWE: CWE-829

Description:

At least one unpinned PIP dependency is install in CI/CD pipeline script. Upon the CI/CD pipeline script execution the latest and potentially unsafe / malicious version of the dependency will be installed.

The following instruction is considered unsafe: $VALUE

Remediation:

Ensure that the installed dependency is required for the CI/CD pipeline execution. If its required, modify you CI/CD script to ensure that any installed dependency have its version pinned.

OWASP:

  • A08:2021-Software and Data Integrity Failures

pipeline_generic_script_unpinned

Summary:

Execution of unpinned remote script in CI/CD pipeline.

Severity: High

CWE: CWE-829

Description:

At least one unpinned shell script is executed in CI/CD pipeline script. Upon the CI/CD pipeline script execution the latest and potentially unsafe / malicious version of the shell script will be executed.

The following instruction is considered unsafe: $VALUE

Remediation:

Ensure that any scripts fetched from external sources in CI/CD pipeline scripts are pinned to specific, trusted versions to mitigate the risk of executing malicious code.

OWASP:

  • A08:2021-Software and Data Integrity Failures