Profile Applicability:
Level 1
Description:
Build workers must be provisioned as ephemeral, single-use instances that are created for a specific build and destroyed immediately after completion. This practice prevents persistent state, reduces risk of contamination between builds, and enhances security and reliability of the build environment.
Rationale:
Using single-use build workers eliminates leftover artifacts, credentials, or malicious changes from previous builds. It enforces a clean environment for each build, reducing the risk of supply chain attacks, configuration drift, and build inconsistencies.
Impact:
Pros:
Ensures clean, isolated build environments.
Mitigates risks from persistent malicious or accidental modifications.
Enhances build reproducibility and security.
Simplifies troubleshooting and auditing.
Cons:
May increase infrastructure provisioning overhead and cost.
Requires automation to efficiently manage ephemeral workers.
Default value:
Some build systems reuse build workers persistently, increasing risk of contamination.
Audit:
Review build infrastructure and pipeline configurations to confirm build workers are created and destroyed per build. Inspect logs for worker lifecycle events.
Remediation:
Implement automation to provision and decommission build workers for each build job. Use containerization or virtual machines to enable rapid instantiation. Educate teams on benefits and management of ephemeral build environments.
References:
Jenkins Ephemeral Agents: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#agent
GitLab CI Runners: https://docs.gitlab.com/runner/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/