Varun Sharma

@qpwo thanks for creating this to raise awareness of the problem. I have been working on the problem of detecting outbound traffic for this exact scenario, and while detecting from...

> @varunsh-coder we are on a pause on accepting new starter-workflows for CI or automation. Code-scanning PRs are accepted. Refer: #631 Thanks @Phantsure. While this does not scan code, it...

> @varunsh-coder It seems a better fit in code scanning. You can move to that. Thanks Thanks @Phantsure. I have moved it into code scanning. I saw there was new...

Thanks @laurentsimon for tagging me! JFYI - I am working on a way for developers to set token permissions automatically in their workflows. The solution is [open source](https://github.com/step-security/secure-workflows), can be...

I can fix token permissions for all the workflows while building out the KB (mentioned in comment above). would you prefer changes to be done for each workflow in separate...

> @varunsh-coder thanks for pointing out the gap in starter workflows! 🙇 > I will add a point in the PR template to call this out. And please feel free...

@Phantsure I see that all except one starter workflows is fixed. Is that right? For [this one](https://github.com/actions/starter-workflows/pull/1386), is there any action item for @h0x0er? Thanks!

Thanks @pratikjagrut for running the workflow. You can find link to report of outbound traffic at https://github.com/loft-sh/devspace/runs/4799122823?check_suite_focus=true#step:3:8 I am curious what you think of the outbound calls. Are they as...

Thanks for tagging me @laurentsimon. https://github.com/step-security/harden-runner monitors for file overwrite of source code during build. It also monitors outbound connections and one can limit outbound traffic at both DNS and...

> SLSA does offer some protection against attacks like SolarWinds (see [the threats pages, row D](https://slsa.dev/spec/v0.1/threats)). It does this by placing higher security requirements on the build system itself. Of...