4mo ago

Popular GitHub Action tj-actions/changed-files is compromised with a payload that appears to attempt to dump secrets

Semgrep | 🚨 Popular GitHub Action tj-actions/changed-files is compromised

3 comments

Here's a good reason why you should pin to specific sha hashes, not just release versions.
PrOtEcTiNg ThE sUpPlY cHaIn Is ImPoRtAnT tO uS. tHeReFoRe We NoW fOrCe 2Fa On YoU.
- 2fa isn't a panacea and won't solve every problem. It does help though. Why do you think supply chain integrity isn't something they care about?