rnp icon indicating copy to clipboard operation
rnp copied to clipboard
verified publisher icon rnpgp

Investigate GitHub Action static analysis tool

Open ribose-jeffreylau opened this issue 1 year ago • 0 comments

Context

A write-up on how supply chain attack on Ultralytics occurred, using insecure GHA: https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection

Candidate: zizmor

zizmor is a static analysis tool for GitHub Actions.

How integration with GHA can be done: https://woodruffw.github.io/zizmor/usage/#use-in-github-actions

ribose-jeffreylau avatar Mar 05 '25 06:03 ribose-jeffreylau