Security Best Practices
Closed this issue · 0 comments
Deleted user commented
Hi,
As a member of the Security Team from the Eclipse Foundation, we used a tools Scorecard and StepSecurity to analyze this repo in order to push a pull request that cover some or all the following best practices below:
- Apply least privilege principle to GITHUB_TOKEN
- Add or fine tune the use of Dependabot
- Pin actions to a full length commit SHA
As a result, You will see a PR coming from StepSecurity to help to implement those fixes above which will cover a list of points below identified detected:
- Apply least privilege principle to GITHUB_TOKEN for files .github/workflows/updateRelease.yml
- Add or fine tune the use of Dependabot
Please don’t hesitate and reach out if there is something unclear above.
Kind Regards,
Francisco Perez