How does SBOM and such account for this? If you’re a package maintainer, do you ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tsujamin 9 months ago \| parent \| context \| favorite \| on: Tj-actions/changed-files GitHub Action Compromised... How does SBOM and such account for this? If you’re a package maintainer, do you need to include CI pipeline plugins, their dependencies, going down as far as the pipeline host, in your security-relevant dependencies? Hard problems :/

captn3m0 9 months ago [–]

Most recommendations treat SBOM as the “ingredients” and are he build dependencies such as GitHub Actions as the recipe.

However, I think the GitHub SBOM features include GitHub Actions as dependencies, but that is merely a side-effect of their Dependabot heritage.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact