Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An external dependency to groundnuty/k8s-wait-for is pinned using tag. #144

Open
aaguiarz opened this issue Jun 22, 2024 · 1 comment
Open
Labels

Comments

@aaguiarz
Copy link
Member

Source tags can be overwritten in case of a supply chain attack and a compromised image may be pulled down.

The risk is greater in the case of external, third party dependencies not under the projects control.

@rorynickolls-skyral
Copy link
Contributor

This issue is related #132 -- I haven't had time to look at picking it up.

I'm concerned about the use of groundnuty/k8s-wait-for here as it has not received updates in years and any issues relating to security fixes on the upstream repository are not receiving attention.

We have had to patch our own version of the image to continue using the chart.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

2 participants