-
**Is your feature request related to a problem? Please describe.**
The playbook lacks guidance on how to evaluate an open source dependency that is being taken.
**Describe the solution you'd like…
-
This issue is always open, since its always time to update:
- [x] [actions/setup-java](https://github.com/actions/setup-java)
- [x] [actions/cache](https://github.com/actions/cache)
- [x] [mikepenz…
-
I work with repos where all GitHub Actions are pinned by commit hash, and passlisted in the repo settings. As of https://github.com/aquasecurity/trivy-action/pull/406, it is not possible to do this an…
smola updated
1 month ago
-
Original
---
```
This checks is valid but we should think about going further: this is an invariant that should never occur, if it occur it mean something wrong is with the blockchain like ability …
fbac updated
2 months ago
-
### Application contact emails
atul@sgnl.ai, erik@sgnl.ai, chiranjeewee@sgnl.ai
### Project Summary
Assure identity and context in microservices call chains
### Project Description
Trat…
-
# Library Version Pinning
## Digital Artifacts
File Content Rules analyzes File
## Definition
Ensure only certain versions are used ie. "pinned down" for all libraries used across scripts and …
-
a bit of a braindump here - to be restructured :)
It would be really cool if helmper could facilitate showing a diff (output from 'diff -bduNr' current-docker/ new-docker/ - and just export the cur…
-
Having safe, supply chain attack protected builds is as important as having stable reproducible builds.
As per #10 @dector's comment on supply chain attacks, it's important to verify external depende…
-
This project is used by lots of other projects it seems, but it is entirely unclear to me what the security assumptions for downloading these postgres binaries are.
Is it possible to have a checksu…
-
### Problem
Supply chain attacks with malicious packages downloaded via dependencies or indirect dependencies are exploding in the NPM ecosystem.
Auditing of dependencies with tools like `cargo …