There should be a policy rule in the task namespace that detects when Tekton parameters ($(params.*)) are used directly in spec.steps[].script blocks of Task definitions. This is a security risk because it enables command injection -- a malicious parameter value could execute arbitrary commands within the script. The Tekton documentation explicitly recommends against this pattern (see Using Variable Substitution).
The build-definitions repo already has a yaml-lint check for this, but it should also be enforced as a Conforma policy rule so it applies universally to any evaluated Task definition.
The rule should scan input.spec.steps[].script for occurrences of $(params. and report a violation when found.
Originally tracked as Jira EC-440.
There should be a policy rule in the
tasknamespace that detects when Tekton parameters ($(params.*)) are used directly inspec.steps[].scriptblocks of Task definitions. This is a security risk because it enables command injection -- a malicious parameter value could execute arbitrary commands within the script. The Tekton documentation explicitly recommends against this pattern (see Using Variable Substitution).The build-definitions repo already has a yaml-lint check for this, but it should also be enforced as a Conforma policy rule so it applies universally to any evaluated Task definition.
The rule should scan
input.spec.steps[].scriptfor occurrences of$(params.and report a violation when found.Originally tracked as Jira EC-440.