
Research
Security News
The Landscape of Malicious Open Source Packages: 2025 Mid‑Year Threat Report
A look at the top trends in how threat actors are weaponizing open source packages to deliver malware and persist across the software supply chain.
github.com/mongodb-labs/drone-validation
Supply Chain Security
Vulnerability
Quality
Maintenance
License
Requires Drone server version 1.4 or higher.
This is a simple validation extension that performs pipeline type validations.
When a user prepared a Drone configuration file using a pipeline that was not supported by our platform, the build used to hang and users did not receive any error or feedback. Whith this validation extension enabled, the same build would instantly fail and an error message returned to the UI informing the reason why the build has failed.
The validation process relies on an OPA policy written in rego and is integrated via OPA Go API.
Although the main purpose of this extension's policy is to validate supported pipeline types, it can be easily modified to check different attributes of the Drone configuration, including secrets.
This application runs a simple rego query that requires the policy to return a boolean value on the path data.drone.validation.deny
and an error message on data.drone.validation.out
.
The default policy is based on the following workflow:
┌───────────────────┐ ┌──────────────────────┐ ┌───────────────────┐
Config document │ │ Yes │ │ No │ │
──────────►│ Is it a pipeline? ├────────►│ Is the type allowed? ├───────►│ Return: deny=true │
│ │ │ │ │ │
└─────────┬─────────┘ └───────────┬──────────┘ └───────────────────┘
│ │
│ No │ Yes
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ │ │ │
│ Return: deny=false │ │ Return: deny=false │
│ │ │ │
└────────────────────┘ └────────────────────┘
This is for demonstration purposes only and will need to be adapted for real world deployments.
See Drone docs for more info.
docker build -t drone-validation .
SHARED_SECRET=$(openssl rand -hex 16)
docker run \
--publish=3000:3000 \
--env=DRONE_DEBUG=true \
--env=DRONE_VALIDATE_PLUGIN_SECRET=$SHARED_SECRET \
drone-validation
Update your `drone-server`` environment variables to include the plugin endpoint and shared secret.
DRONE_VALIDATE_PLUGIN_ENDPOINT=http://<service-name>:3000
DRONE_VALIDATE_PLUGIN_SECRET=<your_shared_secret>
Drone doesn't offer audit logging at the moment, so we can use this validation extension to generate log entries for both build and promotion job executions.
Log messages are opinionated and don't contain the full list of build attributes by default.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A look at the top trends in how threat actors are weaponizing open source packages to deliver malware and persist across the software supply chain.
Security News
ESLint now supports HTML linting with 48 new rules, expanding its language plugin system to cover more of the modern web development stack.
Security News
CISA is discontinuing official RSS support for KEV and cybersecurity alerts, shifting updates to email and social media, disrupting automation workflows.