Varun Sharma

> > Moving to ephemeral and isolated only leads to change in attack tactics though. > > I think what's important is that it should also increase the _cost_ to...

> I think some aspects of dependency confusion can be resolved by verifying dependencies during the build process against some policy (either full or delegated as discussed in [this blog...

> Hi @varunsh-coder, are you able to provide some context around `step-security/harden-runner`? > I couldn't find a Github repo with its code, and a Google search returned no results Hi...

> Hi @varunsh-coder, are you able to provide some context around `step-security/harden-runner`? > I couldn't find a Github repo with its code, and a Google search returned no results @marco-lancini...

> why do we need `contents:write` in goreleaser https://github.com/ossf/scorecard/blob/main/.github/workflows/goreleaser.yaml#L26? Why is this not `packages:write` > Fyi, current packaging check does not distinguish between contents/packages #1254 goreleaser writes to releases ([example](https://github.com/ossf/scorecard/releases/tag/v4.0.1))...

> Thanks @varunsh-coder I realized after posting the question that to push a release, we need `contents:write`. Thanks for confirming! > > I think there are APIs to check which...

> do you think SLSA provenance is something that could address this problem? I think so. In this case, even if the registry owner could verify if the tag exists...

@sethmlarson slightly off-topic, but I am curious why you got a remediation link for `syndicate-lang/syndicate-js`? That seems like a different project, which does not have GitHub Actions workflows. For context,...

Thats interesting. @azeemshaikh38, @laurentsimon any idea how deps.dev gets the remediation URLs? There seems to be a bug there.

> It's pretty hard for a user to remediate some of the results: > > * permissions: which to use? > * pinned dependencies: what's the hash for each version...