Skip to content

[oblt-aw][security] Fix SEC-032 installer integrity verification#1167

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/sec-032-issue-1163-535caa8d776f2f8b
Draft

[oblt-aw][security] Fix SEC-032 installer integrity verification#1167
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/sec-032-issue-1163-535caa8d776f2f8b

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Closes #1163

This remediates SEC-032 in the security detector tool installer by replacing remote process-substitution execution with explicit download + cryptographic integrity verification before execution.

Plan checklist

  • Identify SEC-032 finding source and affected code path.
  • Replace remote script process substitution with local-file execution.
  • Add cryptographic integrity verification for downloaded installer script.
  • Keep source pinning for the installer script commit.
  • Update workflow documentation for the new verification behavior.
  • Validate remediation with existing scanner/tests.

Changes made

  1. scripts/obs/install_security_detector_tools.sh
    • Added ACTIONLINT_DOWNLOAD_SCRIPT_SHA256 for the pinned installer script content.
    • Replaced bash <(curl ...) with:
      • curl -o to /tmp/gh-aw/agent/download-actionlint-<sha>.bash
      • sha256sum -c - verification gate
      • local bash <file> execution only after verification succeeds
      • temp-file cleanup.
  2. docs/workflows/oblt-aw-security-detector.md
    • Updated detector workflow docs to state commit pinning + SHA-256 verification before installer execution.

Validation evidence

bash -n scripts/obs/install_security_detector_tools.sh
# no syntax errors

./scripts/obs/security-scan.sh . | grep -E 'SEC-032|install_security_detector_tools.sh' || true
# no matches

npm test --silent
# 17 passed

/tmp/gh-aw/agent/venv/bin/pytest tests/ -q
# 136 passed

Security controls confirmation

  • Least-privilege: No workflow permission scopes were broadened; remediation is limited to installer script and docs.
  • Env-indirection: No secrets/tokens are interpolated into command strings; no new secret-handling paths were introduced.

Follow-up

  • Request review from elastic/observablt-ci.
  • Keep PR in Draft until maintainers confirm the policy/triage requirements are fully satisfied for this issue.

Note

🔒 Integrity filter blocked 20 items

The following items were blocked because they don't meet the GitHub integrity level.

  • [oblt-aw][security] SEC-032 — findings (2026-06-09) #1163 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1163 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1163 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1157 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1149 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1143 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1135 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1125 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1107 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1066 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1055 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1038 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1064 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #1147 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #842 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #992 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • ... and 4 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: Observability Agentic Workflow — Issues

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions
[oblt-aw][security] Fix SEC-032 installer integrity verification
e15a9d4 
Closes #1163

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Jun 11, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[oblt-aw][security] SEC-032 — findings (2026-06-09)

0 participants