You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is another security practice I would like to suggest, also recommended by the OpenSSF Scorecard, which is to hash pin dependencies to prevent typosquatting and tag renaming attacks.
The change would only be applied to GitHub workflows.
Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.
Together with this issue I'll also suggest a PR with the hash-pinning changes since they are quite simple. If you also agree on adopting dependency update tool just tell me which one and I can submit a default config file that covers github workflow permissions.
Any questions or concerns just let me know.
Thanks!
Additional Context
A tag renaming attack is a type of attack whereby an attacker:
Description
There is another security practice I would like to suggest, also recommended by the OpenSSF Scorecard, which is to hash pin dependencies to prevent typosquatting and tag renaming attacks.
The change would only be applied to GitHub workflows.
This means:
Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.
Together with this issue I'll also suggest a PR with the hash-pinning changes since they are quite simple. If you also agree on adopting dependency update tool just tell me which one and I can submit a default config file that covers github workflow permissions.
Any questions or concerns just let me know.
Thanks!
Additional Context
A tag renaming attack is a type of attack whereby an attacker:
A typosquatting attack is a type of attack whereby an attacker:
For more informations about the dependency-update tools:
The text was updated successfully, but these errors were encountered: