undefined | Better HN

0 pointsAdrienPoupa4d ago0 comments

That's true. This specific attack was mitigated by hash pinning, but some actions like https://github.com/1Password/load-secrets-action default to using the latest version of an underlying dependency.

0 comments

cpuguy834d ago

This attack was not mitigated by hash pinning. The setup-trivy action installs the latest version of trivy unless you specify a version.

AdrienPoupaOP4d ago

Oh, I was referring to `aquasecurity/trivy-action` that was changed with a malicious entrypoint for affected tags. Pinned commits were not affected.

j / k navigate · click thread line to collapse

0 pointsAdrienPoupa4d ago0 comments

0 comments

cpuguy834d ago

This attack was not mitigated by hash pinning. The setup-trivy action installs the latest version of trivy unless you specify a version.

AdrienPoupaOP4d ago

Oh, I was referring to `aquasecurity/trivy-action` that was changed with a malicious entrypoint for affected tags. Pinned commits were not affected.

j / k navigate · click thread line to collapse