Preflight

Preflight assists you in verifying scripts and executables to reduce the risk of supply chain attacks, such as the recent Codecov hack. To begin with, it's a classic case of the chicken and the egg.

How do you obtain a legitimate preflight binary from us without verifying it with preflight? The best approach is to download the source code, compile it yourself, and use your own binary, placing it in a location you trust. People typically have several safe options for doing this: Store it in your own S3 bucket, Upload it to your own Artifactory or a similar service, Push it directly into your repositories (it should be as small as 4MB and rarely changes, so Git should handle it well), or Build from source directly into your containers using the following Dockerfile: FROM golang:1.16-alpine AS preflight_builder RUN apk add --no-cache git WORKDIR /builds RUN GOBIN=`pwd` go get -u github.com/spectralops/preflight # Build from a bare image and copy the built binary FROM alpine:3.9 RUN apk add ca-certificates COPY --from=preflight_builder /builds/preflight /usr/local/bin # Use preflight as you wish RUN curl https://..