laurentsimon
laurentsimon
For security reasons, it's common practice to pin third-party action dependencies by hash in workflows. It's recommended in OSSF scorecard, for example. It helps avoid situation where a dependencies is...
## Pre-requisites - [ ] Prior to submitting a new workflow, please apply to join the GitHub Technology Partner Program: [partner.github.com/apply](https://partner.github.com/apply?partnershipType=Technology+Partner). --- ### **Please note that at this time we...
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token Until recently, this repo did not follow the recommendations https://github.com/actions/starter-workflows/pull/1072/files. Thanks @varunsh-coder for helping out! This repo is home...
I'm one of the maintainers of the [scorecard's project](github.com/ossf/scorecard) and we integrated with the code scanning a few months ago. One user https://github.com/ossf/scorecard-action/issues/143 reported that the results keeps showing after...
I have an action that I'd like to work on both pull requests and push events. The SARIF is uploaded in both cases. When results of a pull request scan...
Hey I work with fuzzbench (see [googleblog](https://security.googleblog.com/2020/03/fuzzbench-fuzzer-benchmarking-as-service.html) and [github](https://github.com/google/fuzzbench)). Fuzzbench is a Google tool/service that aims at helping fuzzer writers to benchmark their tools and improve their techniques. We have...
Hi, I'm reaching out on behalf of the [Open Source Security Foundation (openssf.org)](https://openssf.org/). We work on improving the security of critical open source projects like yours. Together with [GitHub](https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/), we...
Generate non-forgeable provenance, as proposed in https://github.com/google/ko/issues/729 Below is an example of what the provenance looks like: ``` { "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { "name": "ko-copy_5.0.1_Windows_arm64.tar.gz", "digest": {...
Hi I am one of the authors of the SLSA3+ builder for GitHub workflows (https://github.com/slsa-framework/slsa-github-generator projects). We released the v1 of the SLSA3+ builder last week. It will be officially...
**Is your feature request related to a problem? Please describe.** yes **Describe the solution you'd like** It'd be useful to be able to run pip-audit easily in a GitHub workflow...