Flagging supply-chain security issues #372
Comments
|
Hi @gabibguti! 👋 I'm not familiar with Scorecard so would be keen to look into it. Is this the project here? |
|
Yes, that's it. |
|
Hi! Friendly ping here. Did you have time to look into Scorecard? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Flagging supply-chain security issues is important for you to be aware of where your repository is vulnerable to these attacks and act upon it. Supply-chain attacks aim for your development, build and release weaknesses. That's why using minimum permissions for actions and referencing actions by commit SHA on your GitHub workflows helps protecting you from malicious actions on GitHub, specially in build and release workflows.
In this repository, we have already worked to flag and fix a few supply-chain security issues. To flag more issues like that, you can use Scorecard security tool to receive alerts in GitHub's Security Dashboard. If you agree, I can open a PR to add it.
Additional Context
Hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered: