| ▲ | ashishb 4 hours ago |
| I always run such tools inside sandboxes to limit the blast radius. |
|
| ▲ | PunchyHamster 3 hours ago | parent | next [-] |
| The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing |
| |
| ▲ | ashishb 3 hours ago | parent | next [-] | | > The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing Compromising all code in one directory is bad.
Compromising all my data in all other directories, including mounted cloud drives, is worse. I restrict most dev tools to access only the current directory. | |
| ▲ | staticassertion 2 hours ago | parent | prev [-] | | You only need internet access to grab the image, I don't think trivy requires internet access itself. All of my image scanning tools run in isolation. |
|
|
| ▲ | wswin 3 hours ago | parent | prev [-] |
| I don't think it would help here, they were stealing credentials |
| |
| ▲ | tux1968 2 hours ago | parent | next [-] | | Whenever possible, credentials shouldn't be inside the sandbox either. Credential proxying, or transparent credential injection, for example with Sandcat: https://github.com/VirtusLab/sandcat | |
| ▲ | ashishb an hour ago | parent | prev [-] | | > I don't think it would help here, they were stealing credentials So, stealing credentials in the current directory and in all other directories are the same thing? |
|
