So they pull open source, scan and fix it, and let you pull from them instead from public repositories. Quote:
Assured OSS service: are regularly scanned, analyzed, and fuzz-tested for vulnerabilities have corresponding enriched metadata incorporating Container/Artifact Analysis data are built with Cloud Build including evidence of verifiable SLSA-compliance are verifiably signed by Google are distributed from an Artifact Registry secured and protected by Google
Assured OSS service:
are regularly scanned, analyzed, and fuzz-tested for vulnerabilities
have corresponding enriched metadata incorporating Container/Artifact Analysis data
are built with Cloud Build including evidence of verifiable SLSA-compliance
are verifiably signed by Google
are distributed from an Artifact Registry secured and protected by Google
I really hope they will contribute back those issues that they find in packages.
Well, nothing there says they will actually fix anything, just that they will look for it harder. They might end up just reporting issues to mainstream, or just making the issues public, which is already a win.
So they pull open source, scan and fix it, and let you pull from them instead from public repositories. Quote:
I really hope they will contribute back those issues that they find in packages.
Well, nothing there says they will actually fix anything, just that they will look for it harder. They might end up just reporting issues to mainstream, or just making the issues public, which is already a win.