Deployment script is not pinned#
Security · Deployment Script · Rule · 2026_06 · Important
Deployment scripts that use external scripts from an unpinned URL may be modified to execute malicious code.
Description#
When an Azure Deployment Script uses an external script from a URL, the script content could change between runs. If the URL is not pinned to a specific commit, a supply chain attack could modify the script and execute malicious code with elevated privileges.
When using scripts from GitHub, a URL should be pinned to a specific commit hash rather than a branch or tag. A branch or tag can be modified to point to a different commit, allowing a malicious actor to modify the script. A commit hash is unique and cannot be changed without creating a new commit.
Recommendation#
Consider updating the deployment script to use a URL pinned to a specific commit hash.
Examples#
Configure with Bicep#
To deploy deployment scripts that pass this rule:
- Set the
properties.primaryScriptUriproperty to a URL that is pinned to a specific commit hash.- For GitHub hosted scripts, use
https://raw.githubusercontent.com/{owner}/{repo}/{commit-sha}/{path}.
- For GitHub hosted scripts, use
- For each item in
properties.supportingScriptUris, use a URL that is pinned to a specific commit hash.
For example:
resource script 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: 'script-001'
location: location
kind: 'AzurePowerShell'
properties: {
azPowerShellVersion: '9.7'
retentionInterval: 'P1D'
primaryScriptUri: 'https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1'
}
}
Configure with Azure template#
To deploy deployment scripts that pass this rule:
- Set the
properties.primaryScriptUriproperty to a URL that is pinned to a specific commit hash.- For GitHub hosted scripts, use
https://raw.githubusercontent.com/{owner}/{repo}/{commit-sha}/{path}.
- For GitHub hosted scripts, use
- For each item in
properties.supportingScriptUris, use a URL that is pinned to a specific commit hash.
For example:
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2023-08-01",
"name": "script-001",
"location": "[parameters('location')]",
"kind": "AzurePowerShell",
"properties": {
"azPowerShellVersion": "9.7",
"retentionInterval": "P1D",
"primaryScriptUri": "https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1"
}
}
Notes#
This rule currently only evaluates content hosted on GitHub, with URLs starting with https://raw.githubusercontent.com/.
Please log a feature request on if you would like to see support for other hosting providers or URL formats.
Links#
- SE:02 Secured development lifecycle
- Security: Level 1
- Use deployment scripts in ARM templates
- Azure deployment reference