Azure Pipelines can leverage tasks created by others from the Microsoft Marketplace. These external tasks can be used to perform various operations, such as checking out code, building applications, and deploying artifacts. If your pipeline uses a third-party task without pinning it to a specific reviewed version, you are at risk of running code that you have not reviewed.
Tasks provided out of the box by Azure Pipelines, maintained by Microsoft in the azure-pipelines-tasks repository, are excluded from this rule. Although pinning those to a specific version would still benefit build reproducibility, they are generally considered trusted and are omitted here to reduce noise.
There is a risk if you answered no to any of those questions.
It is recommended to pin third-party tasks to a specific, reviewed version. This is the only way to ensure that the code you are running in your pipeline is the one you have reviewed.
To find the exact version number for a custom task, navigate to its page on the Visual Studio Marketplace and look for the version listed under the More Info section on the right side of the page.
pool: vmImage: 'ubuntu-latest' steps: - task: SomeExampleTask@0 # Sensitive
Pin the task to a specific, reviewed version.
pool: vmImage: 'ubuntu-latest' steps: - task: SomeExampleTask@0.1.2