Prefetch Dependencies Task Package

This package verifies that the prefetch-dependencies task is invoked with appropriate parameters to ensure secure dependency fetching.

Package Name

  • prefetch_dependencies

Rules Included

Prefetch dependencies mode parameter check

Verify the prefetch-dependencies task in the PipelineRun attestation was not invoked with the "permissive" mode parameter, which could compromise security.

Solution: Change the mode parameter of the prefetch-dependencies task from 'permissive' to a more secure value. The permissive mode may allow insecure dependency fetching practices.

  • Rule type: FAILURE

  • FAILURE message: Task 'prefetch-dependencies' was invoked with mode parameter set to 'permissive'

  • Code: prefetch_dependencies.mode_not_permissive

  • Source