<![CDATA[A useful reminder from the last few days, I think: security tooling is part of the attack surface

<![CDATA[A useful reminder from the last few days, I think: security tooling is part of the attack surface - maybe that aren't news.]]>A useful reminder from the last few days, I think: security tooling is part of the attack surface - maybe that aren't news.

But: If scanners, GitHub Actions or container images get compromised, this is not just a supply chain problem on paper. It hits the exact layer we **usually** trust to keep the rest safe.

Feels like a good time to ask: where are we still too loose on pinning, still trusting `latest`, or still assuming third-party actions are probably fine?

I think we need to find the right balance between `latest` and waiting days or even weeks to update a component (especially if it's an security patch).

#axios #trivy #supplychain #supplychainsecurity #cybersecurity #security

]]>https://board.circlewithadot.net/topic/4d697126-0fc0-4443-a250-008d8e81d1af/a-useful-reminder-from-the-last-few-days-i-think-security-tooling-is-part-of-the-attack-surface-maybe-that-aren-t-news.RSS for NodeMon, 06 Apr 2026 06:37:48 GMTWed, 01 Apr 2026 16:01:44 GMT60