Security: Can the checksum/SLSA provenance of the downloaded ArgoCD cli be verified? #25
Labels
dependencies
Pull requests that update a dependency file
⛱️ feature request
Request for a new feature
Comments
dannystaple
changed the title
bryantbiggs
added
⛱️ feature request
|
Makes sense - we can look at adding this in, thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Supply chain injections are becoming a common security flaw in CI systems and build chains. This includes:
Describe the solution you'd like
ArgoCD provides multiple mechanisms to validate the authenticity of the download, with SLSA and weaker SHA256 checksums available. Using one of these to verify the provenance of the intended version improves the integrity of using the dependancy.
This would be in the code to download ArgoCD for use by this action.
Using the SLSA method is preferred as it is more secure.
Describe alternatives you've considered
Using the simpler SHA256 mechanism. Performing these actions without using this repository.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: