@@ -68,20 +68,23 @@ Keep in mind that some templates might install dependencies not covered by proje
#### Limit the risk of supply chain attack
When a dependency is compromised ([Shai-Hulud](https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/) for example), it is generally detected and removed from the repositories (NPM, PyPI, etc.) in the first hours/days after it has been published. A good practice is to configure your package managers (npm, yarn, poetry, etc.) on your development machines so that they do not download dependencies that have been published very recently. [pnpm](https://pnpm.io/settings#minimumreleaseage) and [yarn](https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate) already support such settings.
When a dependency is compromised ([Shai-Hulud](https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/) for example), it is generally detected and removed from the repositories (NPM, PyPI, etc.) in the first hours/days after it has been published.
A good practice is to configure your package managers (npm, yarn, poetry, etc.) on your development machines so that they do not download dependencies that have been published very recently.
[pnpm](https://pnpm.io/settings#minimumreleaseage) and [yarn](https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate) already support such settings.
Renovate also has a similar [option](https://docs.renovatebot.com/key-concepts/minimum-release-age/) when updating dependencies.
## Vulnerability Reports (Trivy)
> [!important]
> When reviewing vulnerabilities from containers, you have to consider the following principes :
> When reviewing vulnerabilities from containers, keep in mind the following considerations:
>
> - containers are usually very short-lived in a CI/CD environment
> - no direct user access is possible
> - most job does not expose any exteral services (i.e. HTTP server) making attacks reliant on user interaction very hard if not impossible to exploit
> - Containers are usually very short-lived in a CI/CD context.
> - No direct user access is possible.
> - Most job do not expose any external endpoint (i.e. HTTP server), making vulnerabilities relying on user interaction very hard if not impossible to exploit.
>
> In short, risks are often low in **the CI/CD context** but carefully reviewing vulnerabilities are an essential step to secure your pipeline.
> In short, even though risks are often reduced in a CI/CD context, this should not mean that vulnerabilities assessment are unnecessary.
> They remain an essential step in securing your pipeline.
Here are vulnerability reports for each default image used by _to be continuous_ templates (generated every day):
