You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I ran OSSF's scorecard on your repo and it reported the following non-pinned docker dependencies:
$ ./scorecard --repo=github.com/laurentsimon/scorecard-remediation-tests/ --checks=Frozen-Deps --show-details
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'
In light of recent supply chain attacks like codecov, it would be useful to pin the dependencies by hash.
Pinning by version or any floating tag does not protect sufficiently, since it still allows attackers to update the dependencies if they can compromise a project.
Updates remain feasible. Project owners usually enable github's dependabot through this settings. Dependabot will automatically
create PRs that you can review, accept or reject when new versions of your dependencies become available.
It is recommended to accept dependabot PRs regularly to receive security patches.
Several projects are taking steps to address the same issue, e.g. envoy proxy.
Please let me know if you have any questions.
The text was updated successfully, but these errors were encountered:
Hi team,
I ran OSSF's scorecard on your repo and it reported the following non-pinned docker dependencies:
In light of recent supply chain attacks like codecov, it would be useful to pin the dependencies by hash.
Pinning by version or any floating tag does not protect sufficiently, since it still allows attackers to update the dependencies if they can compromise a project.
@laurentsimon @laurentsimon2 FYI
How to fix
The fix is to use a hash to pin the dependencies. You can find an example here.
To find the hash corresponding to your dependency, run:
Updates remain feasible. Project owners usually enable github's dependabot through this settings. Dependabot will automatically
create PRs that you can review, accept or reject when new versions of your dependencies become available.
It is recommended to accept dependabot PRs regularly to receive security patches.
Several projects are taking steps to address the same issue, e.g. envoy proxy.
Please let me know if you have any questions.
The text was updated successfully, but these errors were encountered: