[RULE] Image builder external scripts should compare hash #2903
Labels
pillar: security
Aligned to the Security pillar.
rule: azure-image-builder
Rules for Azure Image Builder
Existing rule
No response
Suggested rule
When running remote scripts in a build process, the remote script could be maliciously modified to execute unintended code. This is a supply chain threat. We should compare SHA hashes during the image build process for any external scripts.
The
Microsoft.VirtualMachineImages/imageTemplates
resource allows external scripts to be set:properties.customize
:type
isFile
andsourceUri
is set thensha256Checksum
should be set.type
isPowerShell
andscriptUri
is set thensha256Checksum
should be set.type
isShell
andscriptUri
is set thensha256Checksum
should be set.properties.validate.inVMValidations
:type
isPowerShell
andscriptUri
is set thensha256Checksum
should be set.type
isShell
andscriptUri
is set thensha256Checksum
should be set.If an inline script is used, we don't need to validate the SHA hash. We should not fail if no scripts external scripts are used.
Pillar
Security
Additional context
The text was updated successfully, but these errors were encountered: