Problem
template/.github/workflows/ci.yml.jinja (line 88) installs the CodeScene coverage tool by piping an unversioned, externally-hosted shell script directly into bash:
curl -fsSL https://downloads.codescene.io/enterprise/cli/install-cs-coverage-tool.sh | bash -s -- -y
This pattern is a security and reproducibility concern: the script content is not pinned, not checksum-verified, and executes with full shell privileges. A compromised or altered upstream script would run undetected in every generated project's CI pipeline.
Proposed alternatives
- Pin to a specific version/SHA and verify a published checksum before executing.
- Use a versioned GitHub Action provided by CodeScene if one exists.
- Download the script to a temporary file, verify its checksum, then execute.
Context
Flagged during review of PR #10 (#10). Deferred from that PR as out of scope.
/cc @leynos
Problem
template/.github/workflows/ci.yml.jinja(line 88) installs the CodeScene coverage tool by piping an unversioned, externally-hosted shell script directly intobash:curl -fsSL https://downloads.codescene.io/enterprise/cli/install-cs-coverage-tool.sh | bash -s -- -yThis pattern is a security and reproducibility concern: the script content is not pinned, not checksum-verified, and executes with full shell privileges. A compromised or altered upstream script would run undetected in every generated project's CI pipeline.
Proposed alternatives
Context
Flagged during review of PR #10 (#10). Deferred from that PR as out of scope.
/cc @leynos