For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-unpinned-package-version.md.
A documentation index is available at /llms.txt.
Package installer tasks that set state: latest without pinning a version or enabling update_only can cause unintended upgrades. This may introduce breaking changes, regressions, or service disruptions and make deployments non-reproducible.
Ansible package installer modules (for example apt, yum, dnf, pip) are checked for the following task properties: state must not be latest unless a version is specified or update_only is set to true. Tasks with state: latest and no version and missing or falseupdate_only are flagged.
Remediate by pinning packages to explicit versions for deterministic installs, or set update_only: true when you only want to upgrade already-installed packages.
Secure example — pin a version:
- name:Install mypkg at a specific versionapt:name:mypkg=1.2.3state:present```Secure example — allow only updates to already-installed packages:```yaml- name:Update installed packages onlyyum:name:mypkgstate:latestupdate_only:true
Compliant Code Examples
---- name:Example playbookhosts:localhosttasks:- name:Install Ansibleansible.builtin.yum:name:ansible-2.12.7.0state:present- name:Install Ansible-lintansible.builtin.pip:name:ansible-lintstate:presentversion:5.4.0- name:Update Ansible with update_only to trueansible.builtin.yum:name:sudostate:latestupdate_only:true- name:Install nmapcommunity.general.zypper:name:nmapstate:present- name:Install package without using cachecommunity.general.apk:name:foostate:presentno_cache:true- name:Install apache httpdansible.builtin.apt:name:apache2state:present- name:Update Gemfile in another directorycommunity.general.bundler:state:presentchdir:~/rails_project- name:Install a modularity appstream with defined profileansible.builtin.dnf:name:"@postgresql/client"state:present- name:Install rakecommunity.general.gem:name:rakestate:present- name:Install formula foo with 'brew' from caskcommunity.general.homebrew:name:homebrew/cask/foostate:present- name:Install Green Balls plugincommunity.general.jenkins_plugin:name:greenballsversion:presentstate:presenturl:http://host_jenkins:8080username:user_jenkinspassword:userpass_jenkinsregister:result- name:Install packages based on package.jsoncommunity.general.npm:path:/app/locationstate:present- name:Install nmapcommunity.general.openbsd_pkg:name:nmapstate:present- name:Install ntpdateansible.builtin.package:name:ntpdatestate:present- name:Install package bar from filecommunity.general.pacman:name:~/bar-1.0-1-any.pkg.tar.xzstate:present- name:Install package bar from filecommunity.general.pacman:name:~/bar-1.0-1-any.pkg.tar.xzstate:present- name:Install finger daemoncommunity.general.pkg5:name:service/network/fingerstate:present- name:Install several packagescommunity.general.pkgutil:name:- CSWsudo- CSWtopstate:present- name:Install package foocommunity.general.portage:package:foostate:present- name:Make sure that it is the most updated packagecommunity.general.slackpkg:name:foostate:present- name:Make sure spell foo is installedcommunity.general.sorcery:spell:foostate:present- name:Install package unzipcommunity.general.swdepot:name:unzipstate:presentdepot:"repository:/path"- name:Install multiple packageswin_chocolatey:name:- procexp- putty- windirstatstate:present- name:Install "imagemin" node.js package globally.community.general.yarn:name:imageminglobal:true- name:Install a list of packages (suitable replacement for 2.11 loop deprecation warning)ansible.builtin.yum:name:- nginx- postgresql- postgresql-serverstate:present- name:Install local rpm filecommunity.general.zypper:name:/tmp/fancy-software.rpmstate:present
Non-Compliant Code Examples
---- name:Example playbookhosts:localhosttasks:- name:Install Ansibleansible.builtin.yum:name:ansiblestate:latest- name:Install Ansible-lintansible.builtin.pip:name:ansible-lintstate:latest- name:Install some-packageansible.builtin.package:name:some-packagestate:latest- name:Install Ansible with update_only to falseansible.builtin.yum:name:sudostate:latestupdate_only:false- name:Install nmapcommunity.general.zypper:name:nmapstate:latest- name:Install package without using cachecommunity.general.apk:name:foostate:latestno_cache:true- name:Install apache httpdansible.builtin.apt:name:apache2state:latest- name:Update Gemfile in another directorycommunity.general.bundler:state:latestchdir:~/rails_project- name:Install a modularity appstream with defined profileansible.builtin.dnf:name:"@postgresql/client"state:latest- name:Install rakecommunity.general.gem:name:rakestate:latest- name:Install formula foo with 'brew' from caskcommunity.general.homebrew:name:homebrew/cask/foostate:latest- name:Install Green Balls plugincommunity.general.jenkins_plugin:name:greenballsstate:latesturl:http://host_jenkins:8080username:user_jenkinspassword:userpass_jenkinsregister:result- name:Install packages based on package.jsoncommunity.general.npm:path:/app/locationstate:latest- name:Install nmapcommunity.general.openbsd_pkg:name:nmapstate:latest- name:Install ntpdateansible.builtin.package:name:ntpdatestate:latest- name:Install package bar from filecommunity.general.pacman:name:~/bar-1.0-1-any.pkg.tar.xzstate:latest- name:Install finger daemoncommunity.general.pkg5:name:service/network/fingerstate:latest- name:Install several packagescommunity.general.pkgutil:name:- CSWsudo- CSWtopstate:latest- name:Install package foocommunity.general.portage:package:foostate:latest- name:Make sure that it is the most updated packagecommunity.general.slackpkg:name:foostate:latest- name:Make sure spell foo is installedcommunity.general.sorcery:spell:foostate:latest- name:Install package unzipcommunity.general.swdepot:name:unzipstate:latestdepot:"repository:/path"- name:Install multiple packageswin_chocolatey:name:- procexp- putty- windirstatstate:latest- name:Install "imagemin" node.js package globally.community.general.yarn:name:imageminglobal:truestate:latest- name:Install a list of packages (suitable replacement for 2.11 loop deprecation warning)ansible.builtin.yum:name:- nginx- postgresql- postgresql-serverstate:latest- name:Install local rpm filecommunity.general.zypper:name:/tmp/fancy-software.rpmstate:latest
1
2
rulesets:- Ansible # Rules to enforce .
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
