{"id":307329,"date":"2022-08-11T06:23:24","date_gmt":"2022-08-11T08:23:24","guid":{"rendered":"https:\/\/teknomers.com\/fr\/github-dependabot-alerte-desormais-les-developpeurs-sur-les-actions-github-vulnerables\/"},"modified":"2022-08-11T06:23:25","modified_gmt":"2022-08-11T08:23:25","slug":"github-dependabot-alerte-desormais-les-developpeurs-sur-les-actions-github-vulnerables","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/github-dependabot-alerte-desormais-les-developpeurs-sur-les-actions-github-vulnerables\/","title":{"rendered":"GitHub Dependabot alerte d\u00e9sormais les d\u00e9veloppeurs sur les actions GitHub vuln\u00e9rables"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>La plate-forme d&#8217;h\u00e9bergement de code bas\u00e9e sur le cloud GitHub a annonc\u00e9 qu&#8217;elle commencerait d\u00e9sormais \u00e0 envoyer des alertes Dependabot pour les actions GitHub vuln\u00e9rables afin d&#8217;aider les d\u00e9veloppeurs \u00e0 r\u00e9soudre les probl\u00e8mes de s\u00e9curit\u00e9 dans les workflows CI\/CD.<\/p>\n<p>&#8220;Lorsqu&#8217;une vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 est signal\u00e9e dans une action, notre \u00e9quipe de chercheurs en s\u00e9curit\u00e9 cr\u00e9era un avis pour documenter la vuln\u00e9rabilit\u00e9, ce qui d\u00e9clenchera une alerte aux r\u00e9f\u00e9rentiels concern\u00e9s&#8221;, ont d\u00e9clar\u00e9 Brittany O&#8217;Shea et Kate Catlin de GitHub. <a rel=\"nofollow noopener\" href=\"https:\/\/github.blog\/2022-08-09-dependabot-now-alerts-for-vulnerable-github-actions\/\" target=\"_blank\">a dit<\/a>.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/strike-d\" target=\"_blank\" title=\"DevOps backupy\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/07\/Une-nouvelle-etude-revele-que-la-plupart-des-fournisseurs-dentreprise.png\" width=\"300\" height=\"250\" \/><\/a><\/div>\n<p><a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/features\/actions\" target=\"_blank\">Actions GitHub<\/a> est une solution d&#8217;int\u00e9gration et de livraison continues (CI\/CD) qui permet aux utilisateurs d&#8217;automatiser le pipeline de cr\u00e9ation, de test et de d\u00e9ploiement de logiciels.<\/p>\n<div class=\"separator\" style=\"clear: both\"><img decoding=\"async\" alt=\"Actions d\u00e9pendantes de GitHub\" border=\"0\" data-original-height=\"294\" data-original-width=\"728\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/08\/1660206204_642_GitHub-Dependabot-alerte-desormais-les-developpeurs-sur-les-actions-GitHub.jpg\" title=\"Actions d\u00e9pendantes de GitHub\" \/><\/div>\n<p><a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/dependabot\" target=\"_blank\">D\u00e9pendabot<\/a> fait partie des efforts continus de la filiale appartenant \u00e0 Microsoft pour s\u00e9curiser le <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/features\/security\/software-supply-chain\" target=\"_blank\">cha\u00eene d&#8217;approvisionnement de logiciels<\/a> par <a rel=\"nofollow noopener\" href=\"https:\/\/docs.github.com\/en\/code-security\/dependabot\/dependabot-alerts\/about-dependabot-alerts\" target=\"_blank\">notifier<\/a> utilisateurs que leur code source d\u00e9pend d&#8217;un paquet avec une vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 et aidant \u00e0 maintenir toutes les d\u00e9pendances \u00e0 jour.<\/p>\n<p>La derni\u00e8re d\u00e9cision implique la r\u00e9ception d&#8217;alertes sur les actions GitHub et les vuln\u00e9rabilit\u00e9s affectant le code du d\u00e9veloppeur, les utilisateurs ayant \u00e9galement la possibilit\u00e9 de soumettre un avis pour une action GitHub sp\u00e9cifique en adh\u00e9rant \u00e0 un processus de divulgation coh\u00e9rent.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowdsec-tour-d\" target=\"_blank\" title=\"CyberSecurity\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/07\/1656663365_395_Amazon-corrige-discretement-la-vulnerabilite-de-gravite-elevee-dans-lapplication.jpg\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>&#8220;Des am\u00e9liorations comme celles-ci renforcent GitHub et la posture de s\u00e9curit\u00e9 de nos utilisateurs, c&#8217;est pourquoi nous continuons \u00e0 investir dans le renforcement des points de connexion entre les solutions de s\u00e9curit\u00e9 de la cha\u00eene d&#8217;approvisionnement de GitHub et les actions GitHub pour am\u00e9liorer la s\u00e9curit\u00e9 de nos builds&#8221;, a not\u00e9 la soci\u00e9t\u00e9.<\/p>\n<p>Le d\u00e9veloppement arrive alors que GitHub, plus t\u00f4t cette semaine, a ouvert une nouvelle demande de commentaires (RFC) pour un syst\u00e8me opt-in qui permet aux mainteneurs de paquets de signer et de v\u00e9rifier les paquets publi\u00e9s sur NPM en collaboration avec Sigstore.<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/08\/github-dependabot-now-alerts-developers.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>La plate-forme d&#8217;h\u00e9bergement de code bas\u00e9e sur le cloud GitHub a annonc\u00e9 qu&#8217;elle commencerait d\u00e9sormais \u00e0 envoyer des alertes Dependabot pour les actions GitHub vuln\u00e9rables afin d&#8217;aider les d\u00e9veloppeurs \u00e0 r\u00e9soudre les probl\u00e8mes de s\u00e9curit\u00e9 dans les workflows CI\/CD. &#8220;Lorsqu&#8217;une vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 est signal\u00e9e dans une action, notre \u00e9quipe de chercheurs en s\u00e9curit\u00e9 cr\u00e9era [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":307330,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[1964,4747,4168,4158,4165,4161,98836,4300,11530,50438,4157,4159,4171,4170,65,4167,98340,4163,4162,4172,4169,60,4166,4164,4698],"class_list":["post-307329","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actions","tag-alerte","tag-comment-pirater","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-dependabot","tag-desormais","tag-developpeurs","tag-github","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-les","tag-logiciel-malveillant-de-ransomware","tag-mises-a-jour-de-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-securite-informatique","tag-securite-internet","tag-sur","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-vulnerables"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/307329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=307329"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/307329\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/307330"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=307329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=307329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=307329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}