GHA-SEC009Missing Checksum for Downloads
Problem Statement
Downloaded scripts should be validated for integrity.
Vulnerability
Remote Code Execution
Code Examples
Insecure Implementation
- run: curl -sSL http://example.com/script.sh | bashSecure Implementation
- run: |
curl -sSL -o script.sh http://example.com/script.sh
echo "abcd1234 script.sh" | sha256sum -c -
bash script.shRemediation Steps
- Validate all downloads before execution using SHA256 or GPG signatures.