Skip to content
Legit Security / Legit Pipeline Scanning failed May 15, 2024 in 6s

5 pipeline issues detected in this pull request

There are some pipeline issues detected in this pull request, either in the latest commit or in historical code commits belonging to this pull-request.
Legit Pipeline Scanning is a unique scanner by Legit that inspects pipeline automation, CI/CD and config-as-code files and finds risky behaviors and patterns that put the organization at risk of supply-chain attack, data leakage or reliability issues.

Pipeline finding examples

  1. Using a mutable image - using a job that references an image that might be changed and susceptible to supply chain attacks. Any new changes to the image are automatically executed and can lead to a malicious actor taking over the pipeline. To safely reference the remote job - use a commit SHA notation.

  2. Downloading an external resource without verification - A build action downloads an external resource, which might be susceptible to supply chain attacks. 3rd party binaries that are downloaded should go through a checksum verification against the upstream published value to make sure they were not tampered with. In case checksum is unavailable, it is strongly recommended that you consume a static binary from your own registry.

Ignoring a finding

Ignoring a specific alert

If a specific finding is irrelevant, you can add the instance identifier, provided in the annotation, to a.legitignore file at the root directory of your repository. The instance identifier refers to a specific occurrence of the finding, and therefore any other occurrences will still be alerted.
Alternatively, you can add a comment at the end of the relevant line:

legit:ignore-pipeline will prevent the pipeline scanner from scanning this line

curl -fsSL https://example.com/myfile.sh | bash # legit:ignore-pipeline

legit:ignore will prevent all scanners from scanning this line, in case you’re using another scanner such as Legit Secret Scanning

curl -fsSL https://example.com/myfile.sh | bash # legit:ignore

Ignoring a pipeline finding value

If you decide that the value was not relevant or incorrect for the whole repository, add the value identifier provided in the annotation of the finding to .legitignore.

Ignoring alerts from a specific path

In addition, there is an option to completely ignore pipeline findings in a specified path by adding a glob pattern to .legitignore.

.legitignore examples

value_image_ubuntu:latest  # The value ubuntu:latest for images will be ignored throughout the repository

value_url_https://google.com  # The value https://google.com for URLS will be ignored throughout the repository

instance_26229E2D5F8C5B061587C1628F5608E9  # This specific instance of the pipeline finding will be ignored

tests/**  # Ignore everything in the tests directory

other/tests/**:pipeline  # Ignore all pipeline finding in the other/tests directory

config/test_config.json  # Ignore pipeline findings in a specific file

Annotations

Check failure on line 22 in .github/workflows/jekyll-gh-pages.yml

See this annotation in the file changed.

@legit-security legit-security / Legit Pipeline Scanning

.github/workflows/jekyll-gh-pages.yml#L22

Using external mutable image pipeline issue was found

Instance identifier: instance_17C7733AE9D25D7FF837B479D9DF08FC # type: pipeline, file: .github/workflows/jekyll-gh-pages.yml, line: 22
Value identifier: value_image_actions/checkout@v4 # type: pipeline

Check failure on line 24 in .github/workflows/jekyll-gh-pages.yml

See this annotation in the file changed.

@legit-security legit-security / Legit Pipeline Scanning

.github/workflows/jekyll-gh-pages.yml#L24

Using external mutable image pipeline issue was found

Instance identifier: instance_F284FE4566FE5515FE961FEC9C056AA7 # type: pipeline, file: .github/workflows/jekyll-gh-pages.yml, line: 24
Value identifier: value_image_actions/configure-pages@v5 # type: pipeline

Check failure on line 26 in .github/workflows/jekyll-gh-pages.yml

See this annotation in the file changed.

@legit-security legit-security / Legit Pipeline Scanning

.github/workflows/jekyll-gh-pages.yml#L26

Using external mutable image pipeline issue was found

Instance identifier: instance_1410012343BC7EBEEE17071B1130BB70 # type: pipeline, file: .github/workflows/jekyll-gh-pages.yml, line: 26
Value identifier: value_image_actions/jekyll-build-pages@v1 # type: pipeline

Check failure on line 31 in .github/workflows/jekyll-gh-pages.yml

See this annotation in the file changed.

@legit-security legit-security / Legit Pipeline Scanning

.github/workflows/jekyll-gh-pages.yml#L31

Using external mutable image pipeline issue was found

Instance identifier: instance_84A236FF5DA510E134FBBFA143342414 # type: pipeline, file: .github/workflows/jekyll-gh-pages.yml, line: 31
Value identifier: value_image_actions/upload-pages-artifact@v3 # type: pipeline

Check failure on line 42 in .github/workflows/jekyll-gh-pages.yml

See this annotation in the file changed.

@legit-security legit-security / Legit Pipeline Scanning

.github/workflows/jekyll-gh-pages.yml#L42

Using external mutable image pipeline issue was found

Instance identifier: instance_F351F58A0D156328E71F4C48D8992EF0 # type: pipeline, file: .github/workflows/jekyll-gh-pages.yml, line: 42
Value identifier: value_image_actions/deploy-pages@v4 # type: pipeline