Profile Applicability:
Level 1
Description:
All deployment configuration manifests—such as Kubernetes YAML files, Helm charts, or other infrastructure definitions—must reference specific, immutable versions or hashes of the artifacts and dependencies they deploy. This prevents accidental or malicious deployment of unverified or unintended changes by ensuring that only validated versions are used during deployment.
Rationale:
Pinning deployment manifests to fixed, verified versions increases deployment reliability and security by eliminating risks associated with automatic updates to latest or floating versions. It enhances traceability and auditability, supports rollback, and reduces exposure to untested or compromised configurations.
Impact:
Pros:
Prevents unexpected changes during deployment.
Improves security by deploying only verified versions.
Enhances traceability and accountability.
Facilitates rollback to known good states.
Cons:
Requires disciplined version management and update processes.
May slow down updates if version pinning is not managed efficiently.
Default value:
Many deployment manifests may use floating tags like “latest” or unpinned references, increasing risk.
Audit:
Inspect deployment manifests to verify usage of specific version tags, commit hashes, or checksums for all referenced artifacts and dependencies.
Remediation:
Update deployment manifests to reference fixed versions or immutable identifiers. Implement policies and automation to enforce version pinning and verification before deployment.
References:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
https://helm.sh/docs/chart_best_practices/dependencies/#version-pinning
https://www.cisecurity.org/controls/application-software-security/