Hello everyone,
A few months ago, we released 25 new rules designed to align GitHub Actions with the latest security best practices. The response has been fantastic, our telemetry shows a significant increase in resolved issues, which means your workflows are becoming more resilient every day.
Supply chain security is more critical than ever. As seen with the recent activity of the hackerbot-claw worm, attackers are increasingly targeting the CI/CD pipeline rather than the source code itself.
To help you stay ahead of these threats, we are excited to announce that Sonar now provides these same security insights for Azure Pipelines. We’ve launched 16 dedicated rules to help you secure your pipeline implementations, including:
- Azure Pipelines should not be vulnerable to script injections
- Azure Pipelines Task invocations should not be vulnerable to parameter injection attacks
- Using external Azure Pipelines tasks without a pinned version is security-sensitive
- Allowing shell scripts execution during package installation is security-sensitive
This is available now on SonarQube Cloud.
Alex