A useful reminder from the last few days, I think: security tooling is part of the attack surface - maybe that aren't news.But: If scanners, GitHub Actions or container images get compromised, this is not just a supply chain problem on paper. It hits the exact layer we **usually** trust to keep the rest safe.Feels like a good time to ask: where are we still too loose on pinning, still trusting `latest`, or still assuming third-party actions are probably fine?I think we need to find the right balance between `latest` and waiting days or even weeks to update a component (especially if it's an security patch).#axios #trivy #supplychain #supplychainsecurity #cybersecurity #security
D