Proposal: position-anchored tags to make tag tampering human-visible #10438
thegravelinspector
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Position-anchored tags: a detection convention
SHA pinning solves the machine problem, but humans can't glance at hex strings. A simple complement: embed the commit position and short hash in the tag name:
The
r75is a slow-moving number anyone familiar with a project will notice if it changes. In this incident, 75 rewritten tags would have shown wildly wrong position numbers — instantly suspicious, no tooling needed.Full proposal with scripts: https://github.com/thegravelinspector/position-anchored-tags
(Drafted with help from Claude.)
Target
Git Repository
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions