You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We (Google Open Source Security Team) have become aware of a security vulnerability in your repo configuration.
This bug was reported by running the scorecard tool.
I've enclosed information for your review to help you correct this issue.
::: Vulnerability description ::: scorecard reported that you are not pinning dockerfile dependencies by hash:
$ ./scorecard --repo=github.com/laurentsimon/scorecard-remediation-tests/ --checks=Frozen-Deps --show-details
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'
::: What is dependency pinning :::
Dependency pinning lets you control your dependencies by pinning them by hash. A hash is a cryptographic
construct that ensures an attacker cannot alter the content of the dependencies without being detected.
Pinning by version or any floating tag does not offer sufficient protection. There have been recent cases of attackers taking advantage of such vulnerabilities, most infamously the codecov hack.
Several projects are taking steps to address the same issue, e.g. envoy proxy.
::: Remediation guidance :::
You should use a hash to pin the dependencies. You can find an example here.
To find the hash corresponding hash to your dependency, run:
Despite pinning, updates remain feasible and are encouraged. You should install github's dependabot by enabling it through this settings. Dependabot will automatically
create PRs that you can review, accept or reject when new versions of your dependencies become available.
It is recommended to accept dependabot PRs regularly to receive security patches.
::: Support :::
Should you need any help, or have any questions, please let us know.
Note: If you have several security and privacy bugs and are resource-constrained and not sure which issues to fix first, please reach out for assistance at scorecard-discuss@googlegroups.com.
The text was updated successfully, but these errors were encountered:
Hi team,
Hi team,
We (Google Open Source Security Team) have become aware of a security vulnerability in your repo configuration.
This bug was reported by running the scorecard tool.
I've enclosed information for your review to help you correct this issue.
@laurentsimon @laurentsimon2 FYI
::: Vulnerability description :::
scorecard reported that you are not pinning dockerfile dependencies by hash:
::: What is dependency pinning :::
Dependency pinning lets you control your dependencies by pinning them by hash. A hash is a cryptographic
construct that ensures an attacker cannot alter the content of the dependencies without being detected.
Pinning by version or any floating tag does not offer sufficient protection. There have been recent cases of attackers taking advantage of such vulnerabilities, most infamously the codecov hack.
Several projects are taking steps to address the same issue, e.g. envoy proxy.
::: Remediation guidance :::
You should use a hash to pin the dependencies. You can find an example here.
To find the hash corresponding hash to your dependency, run:
Despite pinning, updates remain feasible and are encouraged. You should install github's dependabot by enabling it through this settings. Dependabot will automatically
create PRs that you can review, accept or reject when new versions of your dependencies become available.
It is recommended to accept dependabot PRs regularly to receive security patches.
::: Support :::
Should you need any help, or have any questions, please let us know.
Note: If you have several security and privacy bugs and are resource-constrained and not sure which issues to fix first, please reach out for assistance at scorecard-discuss@googlegroups.com.
The text was updated successfully, but these errors were encountered: