-
- [ ] use [Harden Runner](https://github.com/step-security/harden-runner) in all GH workflows
- [ ] use hashes instead of versions in GH workflows
- [ ] add [OpenSSF Scorecard](https://github.com/os…
alpe updated
5 months ago
-
Consider explicitly supply-chain security. For example:https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/
- https://slsa.dev/
- https://www.openchainproject.org/get-started/confor…
-
The issue started originally with just making build reproducible, but there are other supply chain attack vectors. For example, if some build tools introduce malicious code, then the build will be mal…
-
In light of the `xz` attack:
* https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
audit the opentelemetry-cpp repository for possib…
-
## Date
Tuesday 7 Nov 2023 - 9AM EST / 2PM UK
## Untracked attendees
| Name | Firm | Comment |
| :--- | :--- | :------ |
## Meeting notices
- FINOS **Project leads** are responsible for …
-
## What is the proposed Cheat Sheet about?
The CS will provide an on overview of SSCS, its relevance to developers, and practical guidance on improving the security of SSCs.
## What security…
-
## Describe the bug
On the page https://javascript.info/polyfills there is a link to polyfill.io, which is found to serve malware because the site was sold to a Chinese company. Instead, replace it w…
-
Ensure supply chain security for code/package repositories (e.g. hex.pm)
-
Implement a Scorecards supply-chain security job within the CI/CD pipeline to systematically evaluate and score the security postures of all dependencies in the software supply chain. This job will ut…
-
This issue is aiming to wrap up the discussion on the signing of Helm itself (#10634 & #10635 from @jdolitsky) and chart/image signing (#10436 & #10451 from @Dentrax & @developer-guy). I understand th…