-
The release does not include a JavaScript version.
Also, the recommended install instructions is to load from CDN using jsDelivr or other without SRI.
Best practice is to use SRI which prevents …
-
### Technical Initiative
Securing Repositories Working Group
### Lifecycle Phase
Graduated
### Funding amount
$4000
### Problem Statement
Software repositories are looking for guidance on when …
-
### Describe the need
Please add github_app as a terraform resource. This is beneficial for temporary development environments (Review Apps) and we would like to remove the application when the resou…
-
In looking at https://github.com/moovweb/gvm/blob/master/scripts/install I noticed that `download_binary()` downloads the go tarball via [curl](https://github.com/moovweb/gvm/blob/master/scripts/insta…
-
### What's wrong?
Without further customizing, the Grafana Alloy Helm chart spawns the config-reloader pod `ghcr.io/jimmidyson/configmap-reload:v0.12.0`, see [`configReloader` section in values.yaml]…
-
### Supply chain issues
Security is as strong as the weakest link.
### OSS Supply chain attacks are real:
https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises
### …
-
https://codeberg.org/
https://about.gitea.com/
BoQsc updated
1 month ago
-
Open Source is everywhere. It is in many proprietary codebases and community projects. For organizations and individuals, the question today is not whether you are or are not using open-source code, b…
-
TFLint installed with this action has not been verified for checksums/signatures. This action is typically performed on the GitHub infrastructure, and binaries are distributed under the organization w…
-
The docs don't explain what kinds of supply chain attacks we are worried about, what we are doing to mitigate them, what risks we need to assume, etc.
There's also many ways to approach this proble…