Y
Hacker News
new
|
ask
|
show
|
jobs
by
AdrienPoupa
86 days ago
That's true. This specific attack was mitigated by hash pinning, but some actions like
https://github.com/1Password/load-secrets-action
default to using the latest version of an underlying dependency.
1 comments
cpuguy83
86 days ago
This attack was
not
mitigated by hash pinning. The setup-trivy action installs the latest version of trivy unless you specify a version.
link
AdrienPoupa
86 days ago
Oh, I was referring to `aquasecurity/trivy-action` that was changed with a malicious entrypoint for affected tags. Pinned commits were not affected.
link