You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently had to deal with a supply chain attack of (thankfully not our own) dependency which was executed via a CI/CD pipeline on GH actions and in particular in workflows using pull_request_target and I noticed the avocado framework (which is one of our major dependencies) makes use of that as well for some workflows. How justified is it and is it really needed?
Here some backgrounds on real time example attacks and suggested remedies:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi all,
I recently had to deal with a supply chain attack of (thankfully not our own) dependency which was executed via a CI/CD pipeline on GH actions and in particular in workflows using
pull_request_targetand I noticed the avocado framework (which is one of our major dependencies) makes use of that as well for some workflows. How justified is it and is it really needed?Here some backgrounds on real time example attacks and suggested remedies:
https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/
Beta Was this translation helpful? Give feedback.
All reactions