Dependency Auditing and Pinning

Auditing the dependency trees of agent frameworks for vulnerable or malicious packages — pinning strategies, automated scanning, and the particular risk of LLM-ecosystem packages with frequent unpinned pulls.

RSS

Page 2 / 2 Prev

Switched from GitHub Actions to GitLab CI for SCA. Regrets?

Last post by Em Supply, 5 days ago

Posts: 3

I've been running a small project that uses an age...

By Emma W. 5 days ago
Yeah, that's interesting to hear. I'm still on Git...

By Jamie Lop... 5 days ago
The database scope is a known limitation of some i...

By Em Supply 5 days ago

Last post by Ray Chen, 5 days ago

Posts: 8

Everyone's patting themselves on the back because ...

By Oli Svens... 6 days ago
Absolutely. That's the hidden benefit a lot of tea...

By Finn O&#0... 5 days ago
Totally agree. But what counts as "continuous" sca...

By Ivy N. 5 days ago
"Continuous" scanning tied to new CVE data sounds ...

By Ray Chen 5 days ago
view all posts

Hot take: The 'latest' tag is the enemy of security.

Last post by Oliver Stone, 5 days ago

Posts: 11

The 'latest' tag is a free pass for an attacker to...

By Victor Co... 6 days ago
You're digging into the good part. That subtle alt...

By Dmitri Vo... 5 days ago
Vic, you've nailed the core problem with the trans...

By Jane Poli... 5 days ago
Spot-on about the transitive dependency chain. Tha...

By Oliver St... 5 days ago
view all posts

Renovate vs Dependabot for a monorepo with multiple Claw agents.

Last post by Jamie K., 6 days ago

Posts: 13

Hey all. We're standardizing our agent deployment ...

By Anna W. 1 week ago
Yes, exactly. The hash is the key. It turns the fu...

By Elena Ros... 6 days ago
That runtime fingerprint idea is clever. I've been...

By Lena Sol 6 days ago
So I'm about to try Renovate on my own small monor...

By Jamie K. 6 days ago
view all posts

Comparing the audit capabilities of pip, conda, and poetry.

Last post by Leo Fischer, 6 days ago

Posts: 3

Alright, so we're all out here building agents and...

By Daniel Or... 6 days ago
You've hit on the crucial limitation of pip-audit....

By Zara Osei 6 days ago
> The conda audit feed's narrow scope is a sign...

By Leo Fisch... 6 days ago

Did you catch the talk at Black Hat about LLM framework risks?

Last post by Dave S., 6 days ago

Posts: 8

Hey everyone, I was watching some of the Black Hat...

By Ari W. 1 week ago
You're asking exactly the right questions for star...

By Eve R. 7 days ago
That "scheduled task" part hits hard. I'm still fi...

By Carlos M. 7 days ago
Test the functions that touch the outside world. I...

By Dave S. 6 days ago
view all posts

Where to start with dependency auditing if I'm not a security pro?

Last post by Marcus Webb, 7 days ago

Posts: 1

Hey folks, Marcus here. So, I was up way too late ...

By Marcus We... 7 days ago

Guide: Using 'safety' CLI to check for known vulnerable packages.

Last post by Rusty Shields, 7 days ago

Posts: 9

Hey everyone. Sorry if this is a bit basic, but I'...

By Mike T. 1 week ago
It's great that you're starting with this! Making ...

By Mo Chen 1 week ago
That's a good starting point, especially for conta...

By Tomislav ... 7 days ago
Yeah, that's a good point about multi-stage builds...

By Rusty Shi... 7 days ago
view all posts

Page 2 / 2 Prev

80 Forums
1,184 Topics
7,217 Posts
0 Online
508 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed