Supply Chain Attack on Trivy(wiz.io)
wiz.io
Supply Chain Attack on Trivy
https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
5 comments
> avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.
A runner and a action are two very different things.
You could run on the default runners with no community actions, and you can run on self-hosted runners with a lot of community actions.
A runner and a action are two very different things.
You could run on the default runners with no community actions, and you can run on self-hosted runners with a lot of community actions.
If you're getting hung up on "normal machine", what I meant is a computer in general that is not related to GitHub Actions at all.
If that's not the part of my message you're referring to, then your message seems completely orthogonal to what I posted.
If that's not the part of my message you're referring to, then your message seems completely orthogonal to what I posted.
They're right though, using a self-hosted runner has nothing to do with using community actions or not.
Installing with curl and sh can be done in a github public runner just as well.
Of course it's a true statement, but I'm not using self-hosted runners, nor does my comment mention them.
This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all.
I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh.
Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.