From 95c521f3747ca0a01caf1e761002a8e3210fda0e Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Mon, 18 May 2026 16:20:43 -0400 Subject: [PATCH] fix: resolve security review findings release.yml: Move github.ref_name to env var to prevent script injection via crafted branch names (CodeQL alert #39) sec-opengrep.yml: Verify downloaded binary against GitHub API digest (sha256). Still fetches latest release but validates integrity before execution. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/release.yml | 3 ++- .github/workflows/sec-opengrep.yml | 28 ++++++++++++++++++++++------ 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fecc456..8852da1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -103,6 +103,7 @@ jobs: VERSION_TAG: v${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }}.${{ steps.version.outputs.patch }} MAJOR_TAG: v${{ steps.version.outputs.major }} MINOR_TAG: v${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }} + REF_NAME: ${{ github.ref_name }} run: | git config user.name github-actions git config user.email github-actions@github.com @@ -115,7 +116,7 @@ jobs: git tag "$MINOR_TAG" --force fi - git push origin ${{ github.ref_name }} + git push origin "$REF_NAME" git push origin --tags --force # Create or update the release (supports promotion from prerelease) diff --git a/.github/workflows/sec-opengrep.yml b/.github/workflows/sec-opengrep.yml index 8e272a0..b0d914f 100644 --- a/.github/workflows/sec-opengrep.yml +++ b/.github/workflows/sec-opengrep.yml @@ -20,20 +20,36 @@ jobs: uses: actions/checkout@v6 - name: "Download / Install Opengrep" + env: + GH_TOKEN: ${{ github.token }} run: | set -e - echo "[+] Fetching latest Opengrep release information" - API_URL="https://api.github.com/repos/opengrep/opengrep/releases/latest" ASSET_NAME="opengrep_manylinux_x86" - DOWNLOAD_URL=$(curl -s $API_URL | jq -r ".assets[] | select(.name==\"${ASSET_NAME}\") | .browser_download_url") + + # Fetch latest release metadata and extract download URL + digest + RELEASE_JSON=$(gh api repos/opengrep/opengrep/releases/latest) + DOWNLOAD_URL=$(echo "$RELEASE_JSON" | jq -r ".assets[] | select(.name==\"${ASSET_NAME}\") | .browser_download_url") + EXPECTED_SHA=$(echo "$RELEASE_JSON" | jq -r ".assets[] | select(.name==\"${ASSET_NAME}\") | .digest" | sed 's/sha256://') + VERSION=$(echo "$RELEASE_JSON" | jq -r ".tag_name") + if [ -z "$DOWNLOAD_URL" ] || [ "$DOWNLOAD_URL" = "null" ]; then - echo "Could not find download URL for $ASSET_NAME" + echo "::error::Could not find download URL for $ASSET_NAME" exit 1 fi - echo "[+] Downloading Opengrep from $DOWNLOAD_URL" + + echo "[+] Downloading Opengrep ${VERSION} from $DOWNLOAD_URL" curl -sSfL -o "/usr/local/bin/opengrep" "$DOWNLOAD_URL" + + # Verify integrity against API-reported digest + ACTUAL_SHA=$(sha256sum /usr/local/bin/opengrep | awk '{print $1}') + if [ "$ACTUAL_SHA" != "$EXPECTED_SHA" ]; then + echo "::error::SHA256 mismatch! Expected: $EXPECTED_SHA, Got: $ACTUAL_SHA" + exit 1 + fi + echo "[+] SHA256 verified: $ACTUAL_SHA" + chmod +x /usr/local/bin/opengrep - echo "[+] Finished installing opengrep" + echo "[+] Finished installing opengrep ${VERSION}" - name: "Run Opengrep" run: opengrep scan --sarif-output ./results.sarif .