Re: [PR] Github Actions Security Best practices: Pin Actions to Full lenght Co… [kafka]

via GitHub Wed, 21 Aug 2024 09:01:59 -0700


mumrah commented on code in PR #16915:
URL: https://github.com/apache/kafka/pull/16915#discussion_r1725350586



##########
.github/workflows/docker_scan.yml:
##########
@@ -29,7 +32,7 @@ jobs:
         supported_image_tag: ['latest', '3.7.0']
     steps:
       - name: Run CVE scan
-        uses: aquasecurity/trivy-action@master
+        uses: 
aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master

Review Comment:
   Per the third bullet in the GitHub docs you linked
   
   > Pin actions to a tag only if you trust the creator
   
   we can use the tag version since this action is from a verified creator. 
This is consistent with the ASF Infra policy as mentioned in 
[INFRA-26051](https://issues.apache.org/jira/browse/INFRA-26051). 
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Github Actions Security Best practices: Pin Actions to Full lenght Co… [kafka]

Reply via email to