dreua
commented
1 year ago Thank you for the article! It makes sense and maybe should become the default. Are there any known attacks using this method?
Open utterances-bot opened 1 year ago
dreua
commented
1 year ago Thank you for the article! It makes sense and maybe should become the default. Are there any known attacks using this method?
RafaelGSS
commented
1 year ago Hi @dreua! The attack vector is the supply chain attack one mentioned in the blog post
TWiStErRob
commented
7 months ago @RafaelGSS it would be interesting to know if there was any known real incident using this attack vector. I think that's what dreua wanted to know as well.
dreua
commented
7 months ago What I wonder additionally is whether it is possible to get automatic updates with pinned hashes. Dependabot is really great with checking your used actions and creating PRs for updates. Not sure if it us a worthy trade to use pinned outdated Actions but never get them updated. (Assuming you can't get both and have someone or some bot to help with updating the pins.)
RafaelGSS
commented
7 months ago @RafaelGSS it would be interesting to know if there was any known real incident using this attack vector. I think that's what dreua wanted to know as well.
I know a few real incidents, but I don't have references to share them.
What I wonder additionally is whether it is possible to get automatic updates with pinned hashes. Dependabot is really great with checking your used actions and creating PRs for updates
Dependabot automatically updates it. See https://github.com/nodejs/node/pull/51334
TWiStErRob
commented
7 months ago
Why you should pin your GitHub Actions by commit-hash
A tech blog focused on Application Performance and Software Architecture. The Front-end is just JSON over here.
https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash