top | item 43369285 (no title) tsujamin | 11 months ago How does SBOM and such account for this? If you’re a package maintainer, do you need to include CI pipeline plugins, their dependencies, going down as far as the pipeline host, in your security-relevant dependencies? Hard problems :/ discuss order hn newest captn3m0|11 months ago Most recommendations treat SBOM as the “ingredients” and are he build dependencies such as GitHub Actions as the recipe.However, I think the GitHub SBOM features include GitHub Actions as dependencies, but that is merely a side-effect of their Dependabot heritage.
captn3m0|11 months ago Most recommendations treat SBOM as the “ingredients” and are he build dependencies such as GitHub Actions as the recipe.However, I think the GitHub SBOM features include GitHub Actions as dependencies, but that is merely a side-effect of their Dependabot heritage.
captn3m0|11 months ago
However, I think the GitHub SBOM features include GitHub Actions as dependencies, but that is merely a side-effect of their Dependabot heritage.