Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
AdrienPoupa
3mo ago
0 comments
Save
Share
That's true. This specific attack was mitigated by hash pinning, but some actions like
https://github.com/1Password/load-secrets-action
default to using the latest version of an underlying dependency.
0 comments
2 comments · 1 top-level
top
newest
oldest
cpuguy83
3mo ago
· 1 in thread
This attack was
not
mitigated by hash pinning. The setup-trivy action installs the latest version of trivy unless you specify a version.
AdrienPoupa
OP
3mo ago
Oh, I was referring to `aquasecurity/trivy-action` that was changed with a malicious entrypoint for affected tags. Pinned commits were not affected.
j
/
k
navigate · click thread line to collapse
