In the light of recent supply chain attacks I have conducted a scan of the top 10k repos (by stars) using the GHA security scanner zizmor.
The results are quite sobering. Many of the recent supply chain attacks were preventable, since zizmor is pointing out the exact weaknesses that were used: unpinned dependencies, template injection, ... and many more.
Happy for any input and feedback on the data and presentation, as well as ideas on how we use this to improve the security posture of our open source community!
For me, it always starts with becoming a user first. By using the software, you're more likely to stumble upon bugs, missing features, or areas for improvement—perfect starting points for your first contribution!
In my case, I ran into a MIME type issue while serving a WebAssembly game with Hugo. That small frustration turned into my first pull request to the project.
Just came out of a deep rabbit hole after wondering: “Why does my laptop get hot watching YouTube?"
Thought I share my findings, mostly to have an easy reference to information that is distributed between ArchLinux forum, Chromium docs & random SO posts.
The results are quite sobering. Many of the recent supply chain attacks were preventable, since zizmor is pointing out the exact weaknesses that were used: unpinned dependencies, template injection, ... and many more.
Happy for any input and feedback on the data and presentation, as well as ideas on how we use this to improve the security posture of our open source community!
In case you want to leave an issue or star: https://github.com/datosh/pinned-actions
reply