[RULE] Image builder external scripts should compare hash

[BernieWhite]

Existing rule

No response

Suggested rule

When running remote scripts in a build process, the remote script could be maliciously modified to execute unintended code. This is a supply chain threat. We should compare SHA hashes during the image build process for any external scripts.

The Microsoft.VirtualMachineImages/imageTemplates resource allows external scripts to be set:

• During customization, properties.customize:
  • If type is File and sourceUri is set then sha256Checksum should be set.
  • If type is PowerShell and scriptUri is set then sha256Checksum should be set.
  • If type is Shell and scriptUri is set then sha256Checksum should be set.
• During validate, properties.validate.inVMValidations:
  • If type is PowerShell and scriptUri is set then sha256Checksum should be set.
  • If type is Shell and scriptUri is set then sha256Checksum should be set.

If an inline script is used, we don't need to validate the SHA hash. We should not fail if no scripts external scripts are used.

Pillar

Security

Additional context

• https://learn.microsoft.com/en-gb/azure/templates/Microsoft.VirtualMachineImages/imageTemplates?pivots=deployment-language-bicep
• https://learn.microsoft.com/en-us/azure/well-architected/security/secure-development-lifecycle