diff options
| author | Naveen <172697+naveensrinivasan@users.noreply.github.com> | 2022-03-29 07:08:01 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-29 21:08:01 +0900 |
| commit | 19af8fc7d8f5b4dcf8730ea0b5826bad9fac2dc4 (patch) | |
| tree | be1e06f0d1f83c7de0299396aee83e6750994f5f /src/protector/protector.go | |
| parent | a06671b47f0284733c7edf7dae8f22f9758c8393 (diff) | |
| download | fzf-19af8fc7d8f5b4dcf8730ea0b5826bad9fac2dc4.tar.gz | |
Pin actions to a full length commit SHA (#2765)
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
>Pin actions to a full length commit SHA
>Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Also, dependabot supports upgrade based on SHA.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>s
Diffstat (limited to 'src/protector/protector.go')
0 files changed, 0 insertions, 0 deletions