Question 1

How do I integrate Preflight with GitHub Actions?

Accepted Answer

Preflight offers a dedicated GitHub Action 'spectralops/setup-preflight' for easy installation, and the README includes examples for securing scripts like Codecov bash uploader by piping curl outputs through preflight run with a known hash.

Question 2

Preflight vs Cosign: which is better for supply chain security?

Accepted Answer

Preflight focuses on hash verification and optional malware checks for scripts and executables in pipelines, while Cosign provides broader container signing and attestation. Choose Preflight for lightweight, CLI-based script validation; Cosign for comprehensive container image security with cryptographic signatures.

Question 3

Can Preflight check for malware in real-time?

Accepted Answer

Yes, but it's not real-time in the traditional sense—it checks hashes against pre-downloaded lists or VirusTotal's database. For dynamic threats, you must regularly update file-based lists or rely on VirusTotal's API, which may have latency.

Question 4

How to handle script updates without breaking CI with Preflight?

Accepted Answer

Use Preflight's support for multiple hashes or a URL to a hash list, as shown in the 'Dealing with changing runnables' section. Provide comma-separated old and new hashes or a live URL that updates, allowing seamless transitions during rollouts.

Question 5

Is Preflight suitable for Windows environments?

Accepted Answer

Preflight is a Go binary that can be compiled for Windows, and the README mentions release downloads, but it's primarily tested in Unix-like environments. For Windows, you may need to adapt examples for PowerShell or cmd, and malware lookup integration might require additional setup.

Question 6

How to create and manage hash lists for Preflight?

Accepted Answer

Use 'preflight create' to generate hashes for scripts, then store them in a file or serve via a URL. The README suggests using S3 buckets or internal repos for trust, but you must manually update these lists when scripts change, as there's no automated management.

Preflight

What is Preflight?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions