| ▲ | 96% of GitHub repos have high severity issues in their Action workflows(pin-gh-actions.kammel.dev) | |
| 2 points by datosh 5 hours ago | 1 comments | ||
| ▲ | datosh 5 hours ago | parent [-] | |
In the light of recent supply chain attacks I have conducted a scan of the top 10k repos (by stars) using the GHA security scanner zizmor. The results are quite sobering. Many of the recent supply chain attacks were preventable, since zizmor is pointing out the exact weaknesses that were used: unpinned dependencies, template injection, ... and many more. Happy for any input and feedback on the data and presentation, as well as ideas on how we use this to improve the security posture of our open source community! In case you want to leave an issue or star: https://github.com/datosh/pinned-actions | ||