Skip to content

fix: resolve security review findings#89

Merged
felickz merged 1 commit into
mainfrom
fix/security-review-findings
May 18, 2026
Merged

fix: resolve security review findings#89
felickz merged 1 commit into
mainfrom
fix/security-review-findings

Conversation

@felickz

@felickz felickz commented May 18, 2026

Copy link
Copy Markdown
Collaborator

Fixes

1. Script injection in release.yml (CodeQL alert #39)

Moved github.ref_name from direct expression interpolation in run: block to an env: variable. Prevents command injection via crafted branch names.

2. Supply chain hardening for sec-opengrep.yml

Still fetches the latest opengrep release (no version pin), but now verifies the downloaded binary against the SHA256 digest from the GitHub Releases API before execution. If the checksum doesn't match, the workflow fails.

Both findings from the security review (AI + CodeQL cross-reference).

release.yml: Move github.ref_name to env var to prevent script
injection via crafted branch names (CodeQL alert #39)

sec-opengrep.yml: Verify downloaded binary against GitHub API
digest (sha256). Still fetches latest release but validates
integrity before execution.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@felickz felickz requested a review from a team as a code owner May 18, 2026 20:22
@felickz felickz requested review from adrienpessu and Copilot May 18, 2026 20:22
@github-actions

github-actions Bot commented May 18, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@felickz felickz merged commit a913739 into main May 18, 2026
5 of 6 checks passed
@felickz felickz deleted the fix/security-review-findings branch May 18, 2026 20:22
@felickz felickz removed the request for review from Copilot May 18, 2026 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant