Option to allow certified and partner orbs only | Orbs

Option to allow certified and partner orbs only

under review

Chris Knowles

Under security settings, we would like to allow certified orbs as well as partner orbs but disallow other orb usage or publishing of orbs. The context is within partners we trust such as Snyk but we want to prevent usage of other orbs without a better way to check they are secure or a way to know where they come from. We understand we can copy/paste the orb source into projects, that is not so usable with hundreds of projects though.

CCI-I-1332

January 23, 2020

Oran Wilder

The ability to allow specific orbs by name or namespace (eg:Snyk) is now supported through our Config Policy Management feature, currently in open preview for Scale customers. Learn how to try it out: https://circleci.com/docs/config-policy-management-overview/

Oran Wilder

marked this post as

under review

Under review for second half of 2022.

Oran Wilder

Enhancements to orb security settings are planned for later this year. This request will be updated again once we begin work. Cheers!

Oran Wilder

Merged in a post:

Allow only partner and certified orbs

Henna Abbas

Currently, you can allow uncertified orbs which includes partner orbs. I would like to have the ability to only allow certified orbs and partner orbs but not any other orbs.

December 21, 2021

Dominik K