Skip to content

Add policy rule to prevent variable substitution in Tekton Task script blocks #1751

Description

@st3penta

There should be a policy rule in the task namespace that detects when Tekton parameters ($(params.*)) are used directly in spec.steps[].script blocks of Task definitions. This is a security risk because it enables command injection -- a malicious parameter value could execute arbitrary commands within the script. The Tekton documentation explicitly recommends against this pattern (see Using Variable Substitution).

The build-definitions repo already has a yaml-lint check for this, but it should also be enforced as a Conforma policy rule so it applies universally to any evaluated Task definition.

The rule should scan input.spec.steps[].script for occurrences of $(params. and report a violation when found.

Originally tracked as Jira EC-440.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions