You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We (scorecard team) have become aware of a security vulnerability in your repo configuration.
This bug was reported by running the scorecard tool.
I've enclosed information for your review to help you correct this issue.
::: Vulnerability description ::: scorecard reported that you are not pinning dockerfile dependencies by hash:
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'
::: What is dependency pinning :::
Dependency pinning lets you control your dependencies by pinning them by hash. A hash is a cryptographic
construct that ensures an attacker cannot alter the content of the dependencies without being detected.
Pinning by version or any floating tag does not protect sufficiently. There have been recent cases of such vulnerabilities,
most infamously the codecov one.
Updates are still feasible. You can install dependabot to help you with this process. It will automatically
create a PR that you can review, accept or reject when new version of your dependencies become available.
It is recommended to accept dependabot PRs regularly to receive security patches.
Several projects have taken steps to address the same issue, e.g. envoy proxy.
::: Remediation guidance :::
TODO - we need a page for this
::: Support :::
Should you need any help, or have any questions, please let me know.
The text was updated successfully, but these errors were encountered:
Hi team,
We (scorecard team) have become aware of a security vulnerability in your repo configuration.
This bug was reported by running the scorecard tool.
I've enclosed information for your review to help you correct this issue.
@laurentsimon @laurentsimon2 FYI
::: Vulnerability description :::
scorecard reported that you are not pinning dockerfile dependencies by hash:
::: What is dependency pinning :::
Dependency pinning lets you control your dependencies by pinning them by hash. A hash is a cryptographic
construct that ensures an attacker cannot alter the content of the dependencies without being detected.
Pinning by version or any floating tag does not protect sufficiently. There have been recent cases of such vulnerabilities,
most infamously the codecov one.
Updates are still feasible. You can install dependabot to help you with this process. It will automatically
create a PR that you can review, accept or reject when new version of your dependencies become available.
It is recommended to accept dependabot PRs regularly to receive security patches.
Several projects have taken steps to address the same issue, e.g. envoy proxy.
::: Remediation guidance :::
TODO - we need a page for this
::: Support :::
Should you need any help, or have any questions, please let me know.
The text was updated successfully, but these errors were encountered: