To mitigate supply-chain risks (Trivy & friends), I would suggest we implement
a) a cool-down period for new package versions
b) use Cisco artifactory as index-url to benefit from package scanning and malicious packages blocking
Need to see if we can also adjust dependabot
To mitigate supply-chain risks (Trivy & friends), I would suggest we implement
a) a cool-down period for new package versions
b) use Cisco artifactory as index-url to benefit from package scanning and malicious packages blocking
Need to see if we can also adjust dependabot