This is a suggestion to add security canaries to this repo for monitoring and detecting supply chain attacks. Great examples of the benefits of canaries in protecting the community are seen in this Grafana post, and research Detecting the Modern Supply Chain Attack: High-Fidelity Canaries for CI/CD.
There's a free Tracebit Community Edition GitHub integration you can install here that sets this up in under 5 minutes - once you do, it injects canary tokens (decoy credentials that look real but nothing legitimate ever uses) into each workflow. If anyone tries to use one, you get an alert straight away. Since no real process ever touches them, a trigger means there's likely an issue.
I'm also more than happy to raise a PR and implement it myself. No stress if it doesn't fit - thought it would be useful to share with the wider community.
Full disclosure: I work for Tracebit and was involved in building this. Our Community Edition is fully designed with community in mind and will remain free forever.
This is a suggestion to add security canaries to this repo for monitoring and detecting supply chain attacks. Great examples of the benefits of canaries in protecting the community are seen in this Grafana post, and research Detecting the Modern Supply Chain Attack: High-Fidelity Canaries for CI/CD.
There's a free Tracebit Community Edition GitHub integration you can install here that sets this up in under 5 minutes - once you do, it injects canary tokens (decoy credentials that look real but nothing legitimate ever uses) into each workflow. If anyone tries to use one, you get an alert straight away. Since no real process ever touches them, a trigger means there's likely an issue.
I'm also more than happy to raise a PR and implement it myself. No stress if it doesn't fit - thought it would be useful to share with the wider community.
Full disclosure: I work for Tracebit and was involved in building this. Our Community Edition is fully designed with community in mind and will remain free forever.