Prefetch Dependencies Task Package
This package verifies that the prefetch-dependencies task is invoked with appropriate parameters to ensure secure dependency fetching.
Rules Included
Prefetch dependencies mode parameter check
Verify the prefetch-dependencies task in the PipelineRun attestation was not invoked with the "permissive" mode parameter, which could compromise security.
Solution: Change the mode parameter of the prefetch-dependencies task from 'permissive' to a more secure value. The permissive mode may allow insecure dependency fetching practices.
-
Rule type: FAILURE
-
FAILURE message:
Task '%s' was invoked with mode parameter set to 'permissive' -
Code:
prefetch_dependencies.mode_not_permissive
Prefetch task has package registry proxy enabled
Verify that prefetch-dependencies tasks have the enable-package-registry-proxy parameter set to true. This ensures that dependency prefetching uses the package registry proxy.
Solution: Make sure the prefetch-dependencies task has the input parameter 'enable-package-registry-proxy' set to 'true'.
-
Rule type: FAILURE
-
FAILURE message:
Task '%s' does not have the enable-package-registry-proxy parameter set to true -
Code:
prefetch_dependencies.package_registry_proxy_enabled -
Effective from:
2026-06-01T00:00:00Z