Skip to content

Replace curl-pipe-bash installer in generated CI workflow with a safer alternative #11

Description

@coderabbitai

Problem

template/.github/workflows/ci.yml.jinja (line 88) installs the CodeScene coverage tool by piping an unversioned, externally-hosted shell script directly into bash:

curl -fsSL https://downloads.codescene.io/enterprise/cli/install-cs-coverage-tool.sh | bash -s -- -y

This pattern is a security and reproducibility concern: the script content is not pinned, not checksum-verified, and executes with full shell privileges. A compromised or altered upstream script would run undetected in every generated project's CI pipeline.

Proposed alternatives

  • Pin to a specific version/SHA and verify a published checksum before executing.
  • Use a versioned GitHub Action provided by CodeScene if one exists.
  • Download the script to a temporary file, verify its checksum, then execute.

Context

Flagged during review of PR #10 (#10). Deferred from that PR as out of scope.

/cc @leynos

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions