Discussion

Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack

wilkystyle: I have generally preferred to avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all.I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh.Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.

SahAssar: > avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.A runner and a action are two very different things.You could run on the default runners with no community actions, and you can run on self-hosted runners with a lot of community actions.

wilkystyle: If you're getting hung up on "normal machine", what I meant is a computer in general that is not related to GitHub Actions at all.If that's not the part of my message you're referring to, then your message seems completely orthogonal to what I posted.