[RULE] Image builder external scripts should compare hash
Opened this issue · 0 comments
BernieWhite commented
Existing rule
No response
Suggested rule
When running remote scripts in a build process, the remote script could be maliciously modified to execute unintended code. This is a supply chain threat. We should compare SHA hashes during the image build process for any external scripts.
The Microsoft.VirtualMachineImages/imageTemplates
resource allows external scripts to be set:
- During customization,
properties.customize
:- If
type
isFile
andsourceUri
is set thensha256Checksum
should be set. - If
type
isPowerShell
andscriptUri
is set thensha256Checksum
should be set. - If
type
isShell
andscriptUri
is set thensha256Checksum
should be set.
- If
- During validate,
properties.validate.inVMValidations
:- If
type
isPowerShell
andscriptUri
is set thensha256Checksum
should be set. - If
type
isShell
andscriptUri
is set thensha256Checksum
should be set.
- If
If an inline script is used, we don't need to validate the SHA hash. We should not fail if no scripts external scripts are used.
Pillar
Security