-
### Description:
When using `actionlint` to check GitHub Actions workflows, I encountered a warning indicating that `github.head_ref` is potentially untrusted when used directly in an inline script…
-
Typically industrial environment need hardening of os for installing in controlled environment . what are guidelines for elemental os ? how the hardening aspects are addressed with respect to elemen…
-
I came across this guide to hardening. It has some great tips on quenching, and I think we should add them to Lynis.
https://madaidans-insecurities.github.io/guides/linux-hardening.html
-
## Why
A bad actor can force push a tag so that GitHub Action to do some malicious actions.
A bad actor can push a malicious container image under the same name.
## What
We should use dige…
-
https://github.com/aquasecurity/trivy-action/blob/cb606dfdb0d2b3698ace62192088ef4f5360b24f/README.md?plain=1#L70
See https://docs.github.com/en/actions/security-guides/security-hardening-for-github…
-
InSpec Profile Baselines
----
The MITRE InSpec Team has been working with
Dev-Sec Project
( www.place.io )
The devsec project is the open source community building inspec profiles that are best-…
-
**Is your feature request related to a problem? Please describe.**
My organisation has strict security requirements and one of the baselines are hardening guides to lock down the server to the bare m…
-
Rather than using tagged versions for GitHub Actions, our builds could be more reproducible if we leveraged the Git shas instead.
https://docs.github.com/en/actions/security-guides/security-harde…
-
- [ ] Follow recommendation on https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
- [ ] Use service principals for communication with Azure resources.
-
One way the building of artifacts is vulnerable to attack is via third party actions. There's a lot of trust in that chain.
Optimally, we vendor in and audit at the time of vendoring each third pa…