2.3.7 Ensure pipelines are automatically scanned for vulnerabilities

ID

cis_sscs/pipeline_scan_vuln

Severity

low

Category

build_pipelines/pipeline_instructions

Levels

Optional

true

Tags

sca, security, slsa-4, supply-chain

Description

Scan for vulnerabilities in build pipelines. It is recommended to use an automated tools for detecting known vulnerabilities.

The vulnerability scanners to be considered may be configured for this checkpoint.

Rationale

Automatic scanning for vulnerabilities detects known vulnerabilities in pipeline instructions and components, allowing faster patching in case one is found. These vulnerabilities can lead to a potentially massive breach if not handled as fast as possible, as attackers might also be aware of such vulnerabilities.

Verification

For each pipeline, verify that it is automatically scanned for vulnerabilities.

Remediation

For each pipeline, set automated vulnerability scanning.