Skip to content

Automation runbook is not pinned#

Security · Automation Account · Rule · 2026_06 · Important

Runbooks that use external scripts from an unpinned URL may be modified to execute malicious code.

Description#

When an Azure Automation runbook uses an external script from a URL, the script content could change between runs. If the URL is not pinned to a specific commit, a supply chain attack could modify the script and execute malicious code with elevated privileges.

When using scripts from GitHub, a URL should be pinned to a specific commit hash rather than a branch or tag. A branch or tag can be modified to point to a different commit, allowing a malicious actor to modify the script. A commit hash is unique and cannot be changed without creating a new commit.

Recommendation#

Consider updating the runbook to use a URL pinned to a specific commit hash.

Examples#

Configure with Bicep#

To deploy automation runbooks that pass this rule:

  • Set the properties.publishContentLink.uri property to a URL that is pinned to a specific commit hash.
    • For GitHub hosted scripts, use https://raw.githubusercontent.com/{owner}/{repo}/{commit-sha}/{path}.

For example:

Azure Bicep snippet
resource runbook 'Microsoft.Automation/automationAccounts/runbooks@2023-11-01' = {
  parent: automationAccount
  name: 'runbook-001'
  location: location
  properties: {
    runbookType: 'PowerShell'
    publishContentLink: {
      uri: 'https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1'
    }
  }
}

Configure with Azure template#

To deploy automation runbooks that pass this rule:

  • Set the properties.publishContentLink.uri property to a URL that is pinned to a specific commit hash.
    • For GitHub hosted scripts, use https://raw.githubusercontent.com/{owner}/{repo}/{commit-sha}/{path}.

For example:

Azure Template snippet
{
  "type": "Microsoft.Automation/automationAccounts/runbooks",
  "apiVersion": "2023-11-01",
  "name": "[format('{0}/{1}', parameters('automationAccountName'), 'runbook-001')]",
  "location": "[parameters('location')]",
  "properties": {
    "runbookType": "PowerShell",
    "publishContentLink": {
      "uri": "https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1"
    }
  }
}

Notes#

This rule currently only evaluates content hosted on GitHub, with URLs starting with https://raw.githubusercontent.com/. Please log a feature request on if you would like to see support for other hosting providers or URL formats.

Comments