Integrating security in your CI/CD pipeline is critical to practicing DevSecOps. This action aims to be secure by default, and it should be complemented with your own review to ensure it meets your (organization's) security requirements.
- Action dependencies are maintained by GitHub and pinned to a specific SHA: actions/cache, actions/github-script and actions/upload-artifact.
- Restrict changes to certain environments with deployment protection rules so that approval is required before changes to the infrastructure can be applied.
- Ease of integration with OpenID Connect by passing short-lived credentials as environment variables to the workflow.
| Version | Supported |
|---|---|
| v11.X | Yes |
| ≤ v0.X | No |
You must never report security related issues, vulnerabilities or bugs including sensitive information to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to security@devsec.top or reported via Security Advisory.