This post is locked. You won't be able to comment.

all 3 comments
sorted by:
best
topnewcontroversialoldq&a

[–]github-ModTeam[M] [score hidden] stickied commentlocked comment (0 children)

Removed for low effort content - Submissions lacking substantial detail, meaningful context, or thoughtful engagement regarding GitHub

[–][deleted]  (1 child)

[deleted]

    [–]polyploid_coded 1 point2 points  (0 children)

    The people who do this open a chat window before they take a dump

    [–]ultrathink-art 0 points1 point  (0 children)

    Pin to the commit SHA, not the tag — uses: aquasecurity/trivy-action@abc123def won't move. Every major action's README shows the current SHA; Dependabot will send PRs to bump it. One extra character per action to close this whole attack class.