Scanning alert proposes unsupported remediation #2129
Labels
kind/bug
Something isn't working
Comments
1 task
|
Hi, thanks for the report. In you use case, the workflow has low privilege (pull_request trigger with only read permissions, no secrets available), so I agree scorecard should be handling this better. We have a tracking issue in #2018 Please let me know if this would address the problem. @raghavkaul this would fall under the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Here’s a scanning alert: https://github.com/jenstroeger/python-package-template/security/code-scanning/38
It suggests to use
pipwith a hash instead of a pinned version. Alas, pip install does not have such a feature. While I understand the intention of the alert, we have good reason to pin instead of using a hash (doesn’t work) or a lock file/requirements.txt (too much clutter).Expected behavior
No alert, or at least a better message.
Additional context
I’m tempted to say that this alert is a false positive; probably not, in which case the messaging ought to be clarified.
The text was updated successfully, but these errors were encountered: