This product is not supported for your selected
Datadog site. (
).
Id: c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8
Cloud Provider: Common
Platform: Ansible
Severity: Low
Category: Supply-Chain
Learn More
Description
Package installer tasks that set state: latest without pinning a version or enabling update_only can cause unintended upgrades. This may introduce breaking changes, regressions, or service disruptions and make deployments non-reproducible.
Ansible package installer modules (for example apt, yum, dnf, pip) are checked for the following task properties: state must not be latest unless a version is specified or update_only is set to true. Tasks with state: latest and no version and missing or false update_only are flagged.
Remediate by pinning packages to explicit versions for deterministic installs, or set update_only: true when you only want to upgrade already-installed packages.
Secure example — pin a version:
- name: Install mypkg at a specific version
apt:
name: mypkg=1.2.3
state: present
```Secure example — allow only updates to already-installed packages:
```yaml
- name: Update installed packages only
yum:
name: mypkg
state: latest
update_only: true
Compliant Code Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Install Ansible
ansible.builtin.yum:
name: ansible-2.12.7.0
state: present
- name: Install Ansible-lint
ansible.builtin.pip:
name: ansible-lint
state: present
version: 5.4.0
- name: Update Ansible with update_only to true
ansible.builtin.yum:
name: sudo
state: latest
update_only: true
- name: Install nmap
community.general.zypper:
name: nmap
state: present
- name: Install package without using cache
community.general.apk:
name: foo
state: present
no_cache: true
- name: Install apache httpd
ansible.builtin.apt:
name: apache2
state: present
- name: Update Gemfile in another directory
community.general.bundler:
state: present
chdir: ~/rails_project
- name: Install a modularity appstream with defined profile
ansible.builtin.dnf:
name: "@postgresql/client"
state: present
- name: Install rake
community.general.gem:
name: rake
state: present
- name: Install formula foo with 'brew' from cask
community.general.homebrew:
name: homebrew/cask/foo
state: present
- name: Install Green Balls plugin
community.general.jenkins_plugin:
name: greenballs
version: present
state: present
url: http://host_jenkins:8080
username: user_jenkins
password: userpass_jenkins
register: result
- name: Install packages based on package.json
community.general.npm:
path: /app/location
state: present
- name: Install nmap
community.general.openbsd_pkg:
name: nmap
state: present
- name: Install ntpdate
ansible.builtin.package:
name: ntpdate
state: present
- name: Install package bar from file
community.general.pacman:
name: ~/bar-1.0-1-any.pkg.tar.xz
state: present
- name: Install package bar from file
community.general.pacman:
name: ~/bar-1.0-1-any.pkg.tar.xz
state: present
- name: Install finger daemon
community.general.pkg5:
name: service/network/finger
state: present
- name: Install several packages
community.general.pkgutil:
name:
- CSWsudo
- CSWtop
state: present
- name: Install package foo
community.general.portage:
package: foo
state: present
- name: Make sure that it is the most updated package
community.general.slackpkg:
name: foo
state: present
- name: Make sure spell foo is installed
community.general.sorcery:
spell: foo
state: present
- name: Install package unzip
community.general.swdepot:
name: unzip
state: present
depot: "repository:/path"
- name: Install multiple packages
win_chocolatey:
name:
- procexp
- putty
- windirstat
state: present
- name: Install "imagemin" node.js package globally.
community.general.yarn:
name: imagemin
global: true
- name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning)
ansible.builtin.yum:
name:
- nginx
- postgresql
- postgresql-server
state: present
- name: Install local rpm file
community.general.zypper:
name: /tmp/fancy-software.rpm
state: present
Non-Compliant Code Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Install Ansible
ansible.builtin.yum:
name: ansible
state: latest
- name: Install Ansible-lint
ansible.builtin.pip:
name: ansible-lint
state: latest
- name: Install some-package
ansible.builtin.package:
name: some-package
state: latest
- name: Install Ansible with update_only to false
ansible.builtin.yum:
name: sudo
state: latest
update_only: false
- name: Install nmap
community.general.zypper:
name: nmap
state: latest
- name: Install package without using cache
community.general.apk:
name: foo
state: latest
no_cache: true
- name: Install apache httpd
ansible.builtin.apt:
name: apache2
state: latest
- name: Update Gemfile in another directory
community.general.bundler:
state: latest
chdir: ~/rails_project
- name: Install a modularity appstream with defined profile
ansible.builtin.dnf:
name: "@postgresql/client"
state: latest
- name: Install rake
community.general.gem:
name: rake
state: latest
- name: Install formula foo with 'brew' from cask
community.general.homebrew:
name: homebrew/cask/foo
state: latest
- name: Install Green Balls plugin
community.general.jenkins_plugin:
name: greenballs
state: latest
url: http://host_jenkins:8080
username: user_jenkins
password: userpass_jenkins
register: result
- name: Install packages based on package.json
community.general.npm:
path: /app/location
state: latest
- name: Install nmap
community.general.openbsd_pkg:
name: nmap
state: latest
- name: Install ntpdate
ansible.builtin.package:
name: ntpdate
state: latest
- name: Install package bar from file
community.general.pacman:
name: ~/bar-1.0-1-any.pkg.tar.xz
state: latest
- name: Install finger daemon
community.general.pkg5:
name: service/network/finger
state: latest
- name: Install several packages
community.general.pkgutil:
name:
- CSWsudo
- CSWtop
state: latest
- name: Install package foo
community.general.portage:
package: foo
state: latest
- name: Make sure that it is the most updated package
community.general.slackpkg:
name: foo
state: latest
- name: Make sure spell foo is installed
community.general.sorcery:
spell: foo
state: latest
- name: Install package unzip
community.general.swdepot:
name: unzip
state: latest
depot: "repository:/path"
- name: Install multiple packages
win_chocolatey:
name:
- procexp
- putty
- windirstat
state: latest
- name: Install "imagemin" node.js package globally.
community.general.yarn:
name: imagemin
global: true
state: latest
- name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning)
ansible.builtin.yum:
name:
- nginx
- postgresql
- postgresql-server
state: latest
- name: Install local rpm file
community.general.zypper:
name: /tmp/fancy-software.rpm
state: latest
