Stacklok

In this introductory guide Juan Antonio "Ozz" Osorio dives into Writing Minder rule types using Open Policy Agent and Rego. https://lnkd.in/gt2tbfj8

The scary thing with malicious packages like this is that traditional SCA tools won’t flag them during the few hour attack ‘window’. (Attackers publish, use and de-publish these very quickly). Installing one on a developers desktop will cause all kinds of problems for your org. Put a tool like Trusty in your developer inner-loop process to help your teams avoid this kind of content in the first place. Nice work Trusty team!

On July 22nd, our Trusty team flagged a malicious npm package, next-react-notify, shortly after it was published. This package is a modified version of the popular call-bind with an added malicious script. Our detection system identified suspicious metadata signals, revealing a complex attack. Key indicator: a preinstall hook in the package.json file which silently executes and deletes the downloader script. Read Poppaea McDermott's analysis of this attack here: https://bit.ly/46mhGgg #cybersecurity #opensource

In this Cloud Native Computing Foundation (CNCF) #CloudNativeSecurityCon talk Sigstore founders Luke Hinds and Bob Callaway discuss the origins of sigstore and their experience growing a large community. Plus, the ongoing work to integrate Sigstore into Homebrew, PyPI, Maven Central and the Sigstore roadmap priorities and where the project is heading in the future. 📺 Watch here: https://lnkd.in/euKanfNi #CNSCon

Want to know what Tacos de Canasta and Software Supply Chain Security have in common? Join Adolfo García Veytia, Luke Hinds & Stacey Potter as they dive in to both during our first Securi-Taco Tuesday episode (available on-demand). https://lnkd.in/eE8PytGk

Even though pinning GitHub Actions to commit SHAs is only way to use an action as an immutable release, only 2% of public GitHub repos have pinned actions (shout-out to Fabian Kammel for his research on this). One reason this practice isn't more common is the worry that you might not get updates for the actions if they're pinned. But if you're a Dependabot user, you can use our #oss Frizbee tool Dependabot to automatically pin your GitHub Actions (and also, pin your container images!), and use Dependabot to keep them updated. Stackers Juan Antonio "Ozz" Osorio and Jakub Hrozek demo how this works in this Cloud Native Computing Foundation (CNCF) livestream with CNCF Ambassador Taylor Thomas: https://lnkd.in/gqYvM7Fj Thanks Taylor for chatting with us!

We welcomed three amazing new Stackers this week! Doug Wright is our new VP of Engineering, who joins us from the cybersecurity firm Arctic Wolf. Doug has 18 years of experience in managing development teams and extensive experience building SaaS products. We're thrilled to have him lead our global engineering organization and product development process. Doug is based in sunny Southern California 😎 Gokul Raju joins us as a Staff Product Manager, focused on building out the product roadmap and capabilities of trustypkg.dev to help developers understand whether the OSS packages they're using are malicious, deprecated, or pose a supply chain risk. Gokul joins us from Harness, where he drove Harness' product-led growth strategy and built capabilities for Harness' CD product. He works in our Shoreditch, London office. 🇬🇧 👨🏻💻 A. is the newest member of our fantastic frontend engineering team, joining us from Fuse Financial Technologies. He'll also be working out of our office in Shoreditch, London. ☕ Welcome to the team, Doug, Gokul, and Alex! We're beyond thrilled to have you here!

Looking for an easy way to detect malicious, deprecated, or unsafe #oss dependencies in your code? We just released a new GitHub Action that can automatically check your PRs for unsafe open source dependencies, and provide a list of safer alternatives. Using the Trusty Dependency Risk Action can help you avoid taking a dependency on OSS software that is: - Malicious, deprecated, or archived (as reported by OSV.dev, GitHub, or package managers) - Not being actively maintained - From an unverified source - Likely to be a typosquat / supply chain attack Try it out and let us know what you think! 👀 Blog post with more background: https://lnkd.in/gRG2PnjY ✅ Direct link to install the Trusty Dependency Risk Action: https://lnkd.in/g7RJTAVa

TODAY! Tune in to this Cloud Native Computing Foundation (CNCF) #Livestream as Stackers Juan Antonio "Ozz" Osorio and Jakub Hrozek dive into automating pinning GitHub Actions & container images to digests. 9am PT | 12pm ET | 16:00 UTC | 17:00 BST 📺https://lnkd.in/gZcR4JEX

Thanks Pete Soderling for hosting our CEO, Craig McLuckie, on the Zero Prime Ventures podcast! Check out this episode if you're interested in the origins of the #Kubernetes project, and for founder advice on leading startups.