← Back to context

Comment by stasge

3 months ago

There is a low hanging fruit in making GitHub Actions more secure (anyone from GitHub here?):

  - Forbid (or at least warn about) shell interpolation in composite actions and guide to using environment variables instead
  - Warn unless all external actions are pinned by git commit (with customizable exceptions)
  - Warn unless all used docker images are pinned by digests

0 comments

stasge

Reply