Enterprise Deployment Guide

Module Trust in CI

Configure explicit module trust in headless CI pipelines to safely allow Data Generator execution.

Edit this page on GitHub

Module Trust in CI

In an enterprise environment, modules often contain Data Generators that execute shell commands (e.g., fetching cloud inventory or querying APIs).

Trust on First Use (TOFU)

Locally, rescile-ce will prompt the user interactively before executing an untrusted module. In a headless CI environment, these interactive prompts will fail the build to prevent arbitrary code execution from malicious upstream modules.

Configuring Trust in Pipelines

When running the Rescile Importer in a pipeline, you must explicitly declare trusted modules. Use the --trust-modules flag with a comma-separated list of repository URLs:

rescile-importer --trust-modules "https://github.com/my-org/core-networking.git,https://github.com/my-org/security-baselines.git"

Alternatively, if you use a strict internal module registry where all code is pre-audited, you can completely bypass the safeguard:

rescile-importer --trust-all-modules