laurentsimon

possible patterns to check for: 1. Git/hg repo clon 2. Curl github.com/bla/bla/releases/download/bla 3. Curl tarball

another occurrence in https://github.com/step-security/agent/issues/35#issuecomment-974274585

another one https://github.com/ossf/scorecard/issues/1074#issuecomment-973479064

Apparently, this happened all the time in https://github.com/step-security/agent/issues/35#issuecomment-974585033 @varunsh-coder does the problem occur on pull requests or on push events to main branch?

it would be good to flag it nevertheless, because it's a potential risk. Any thoughts on warning without recommending pinning by hash?

I agree it looks like a permission problem. We use `permissions: read-all` and `security-events: write`; and this error only happens for the Branch Protection APIs using graphQl. Mhhhh.. this page...

do you know if dependabot/renovatebot support commands within shell script/makefiles `go install bla@something`? I'm also curious about GCB's cloud.yaml files https://github.com/ossf/scorecard/issues/1503 cc @rarkins

@josepalafox the graphQl APIs seem to require a PAT/OAuth token and don't automatically work with the GitHub token provisioned to workflows. Do you know the reasoning behind this? Is there...

@rarkins do you mean it's too risky to parse arbitrary shell scripts? Let me give you a concrete example of what I meant. if I have a workflow using `uses:...

Interesting, thanks for sharing! I don't understand why the GitHu tokens have different permission models though :/