Clear and concise description of the problem
I'd like to add security canaries to this repo for monitoring and detecting supply chain attacks, and protecting the wider community. A great example of the benefits of canaries in protecting the community is seen in this Grafana post, and research Detecting the Modern Supply Chain Attack: High-Fidelity Canaries for CI/CD.
I'm happy to raise the PR and implement it myself (see below).
Suggested solution
There's a free Tracebit Community Edition GitHub integration you can install here that sets this up in under 5 minutes - once you do, it injects canary tokens (decoy credentials that look real but nothing legitimate ever uses) into every running build. If anyone tries to use one, you get an alert straight away. Since no real process ever touches them, a trigger means there's likely an issue.
Alternative
No response
Additional context
I'm also more than happy to raise a PR and implement it myself. No stress if it doesn't fit - thought it would be useful to share with the wider community.
Full disclosure: I work for Tracebit and built this myself. Our Community Edition is fully designed with community in mind and will remain free forever.
Thanks,
Gemma
Validations
Clear and concise description of the problem
I'd like to add security canaries to this repo for monitoring and detecting supply chain attacks, and protecting the wider community. A great example of the benefits of canaries in protecting the community is seen in this Grafana post, and research Detecting the Modern Supply Chain Attack: High-Fidelity Canaries for CI/CD.
I'm happy to raise the PR and implement it myself (see below).
Suggested solution
There's a free Tracebit Community Edition GitHub integration you can install here that sets this up in under 5 minutes - once you do, it injects canary tokens (decoy credentials that look real but nothing legitimate ever uses) into every running build. If anyone tries to use one, you get an alert straight away. Since no real process ever touches them, a trigger means there's likely an issue.
Alternative
No response
Additional context
I'm also more than happy to raise a PR and implement it myself. No stress if it doesn't fit - thought it would be useful to share with the wider community.
Full disclosure: I work for Tracebit and built this myself. Our Community Edition is fully designed with community in mind and will remain free forever.
Thanks,
Gemma
Validations