Recent issues with bot action on winget-pkgs and idea for remediation

[Karl-WE]

I have just attended the a cloud usergroup and Mike Martin (Microsoft Technical Evangelist) presented the ability that it is possible to connect github to Azure Security.

This was mentioned for securing docker containers and sorts. I wonder if this technology could be used to crawl through PR for new yaml files in the repo and to be checked for yaml files pointing to malicious DL sources for a changed product or new product in the pkgs.

Idea: on submission an automation could actively check the yaml and download the app from the download location and check in a sandbox if the download is clean, or eventually detect if the app is a valid one from the vendor by checking application cert etc.

Is this something realistic or useful make winget even more secure?

cc @denelon

[denelon]

Thanks @Karl-WE. I reached out to Mike to learn a bit more and see what the options/benefits are.