-
Hi! I'm wondering if you would be OK with a pull request that removes the `vendor/` directory and uses only Go modules for dependency management?
We (Microsoft Network Cloud) have a mirror of this …
-
**Describe the problem/challenge you have**
Currently, the artefacts produced by the different Carvel projects (binaries, images, bundles) are not signed. It would be nice if they were all signed t…
-
The issue started originally with just making build reproducible, but there are other supply chain attack vectors. For example, if some build tools introduce malicious code, then the build will be mal…
-
Containers are part of a software supply chain. Because of that, I see some overlap in some of the areas of concern outlined in [Component Analysis](https://www.owasp.org/index.php/Component_Analysis)…
-
Link to website: https://tag-security.cncf.io/
In order to increase the quality of outputs from TAG Security, to simplify the project maintenance, and to streamline new member familiarization, ther…
-
Dear all,
Recently, there have been a number of software supply chain attacks. Basically, malicious persons push malicious code in open-source software:
Spoon is concerned by this problem, bec…
-
https://www.docker.com/press-release/atomist-acquisition-helps-meet-challenge-of-securing-software-supply-chains-for-development-teams/
-
## Description
We could use [sigstore cosign](https://github.com/sigstore/cosign) for this. Read more on software supply chain security here: https://docs.sigstore.dev/#software-supply-chain-securi…
-
## 📚 Context
### Problem:
Currently, there is a lack of visibility into the build process and contents of Docker images used in the project. This makes it challenging to assess the security ris…
-
Anyone who's delved into/compared using this action versus uploading an SBOM to the dependency submission API?
I'm referring to things like these:
- https://docs.github.com/en/code-security/supply…