From 4cc1e3bfb5662b1f941f3c8677f185e62fa71017 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 27 May 2026 07:59:35 +0000
Subject: [PATCH] [oblt-aw][security] Fix SEC-032 actionlint download integrity

Add SHA-256 verification for the pinned actionlint installer script before execution and remove process substitution download execution. Update detector docs to reflect verification behavior.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/workflows/gh-aw-security-detector.md      | 2 +-
 scripts/obs/install_security_detector_tools.sh | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/workflows/gh-aw-security-detector.md b/docs/workflows/gh-aw-security-detector.md
index 54e086f0..54b0b420 100644
--- a/docs/workflows/gh-aw-security-detector.md
+++ b/docs/workflows/gh-aw-security-detector.md
@@ -21,7 +21,7 @@ Single job **scan**:
 
 1. Checks out the **calling** repository into `target/` (the consumer workspace to scan).
 2. Checks out **[elastic/oblt-aw](https://github.com/elastic/oblt-aw)** at ref `main` into `_oblt-aw/` so host scripts exist on the runner; detector scripts are not copied into consumer repos.
-3. Installs **shellcheck**, **jq**, **curl**, **pip**, **actionlint** (pinned via upstream download script), **zizmor**, and **semgrep** (registry rules downloaded on first use).
+3. Installs **shellcheck**, **jq**, **curl**, **pip**, **actionlint** (download script pinned to commit and verified with SHA-256 before execution), **zizmor**, and **semgrep** (registry rules downloaded on first use).
 4. Optionally uses **actions/setup-node** when `target/**/package-lock.json` exists so **npm audit** can run for SEC-033.
 5. Runs `_oblt-aw/scripts/obs/security-scan.sh` with argument `target`, which emits findings as `file|line|rule|severity|message` (actionlint + zizmor + semgrep + shellcheck + custom heuristics + npm audit, with per-file/line deduplication).
 6. When there are findings, creates an ephemeral token then runs `_oblt-aw/scripts/obs/create-security-issues.sh` to open issues in **the caller** (`github.repository`) with label `oblt-aw/detector/security`. Findings are **grouped by rule (SEC id)**: **one issue per rule** per run, not one issue per line. The issue **title** is `[oblt-aw][security] <SEC-xxx> — findings (<YYYY-MM-DD>)`, where the date is the analysis date (UTC calendar day; the workflow sets `SECURITY_SCAN_DATE` when creating issues). The **body** lists every occurrence for that rule (file, line, severity, message). The current issue-creation step does **not** emit `oblt-aw/severity/*` labels; severity is represented in the issue body and mapped in [Security Scanning Ruleset → Severity Levels](security-scanning-ruleset.md#severity-levels).
diff --git a/scripts/obs/install_security_detector_tools.sh b/scripts/obs/install_security_detector_tools.sh
index 9c068975..770ba8d8 100755
--- a/scripts/obs/install_security_detector_tools.sh
+++ b/scripts/obs/install_security_detector_tools.sh
@@ -25,6 +25,12 @@ mkdir -p "$HOME/bin/actionlint"
 cd "$HOME/bin/actionlint"
 # Installer script pinned to commit (v1.7.11 tag); bump SHA when upgrading actionlint.
 ACTIONLINT_DOWNLOAD_SCRIPT_SHA=393031adb9afb225ee52ae2ccd7a5af5525e03e8
+ACTIONLINT_DOWNLOAD_SCRIPT_SHA256=6ea5eefacaea8c73b9ef8ea6947c2946b5d7d8af24b0f3e629ac7b42e17a7dfb
 ACTIONLINT_VERSION=1.7.11
-bash <(curl -fsSL "https://raw.githubusercontent.com/rhysd/actionlint/${ACTIONLINT_DOWNLOAD_SCRIPT_SHA}/scripts/download-actionlint.bash") "${ACTIONLINT_VERSION}"
+curl -fsSL \
+  "https://raw.githubusercontent.com/rhysd/actionlint/${ACTIONLINT_DOWNLOAD_SCRIPT_SHA}/scripts/download-actionlint.bash" \
+  -o download-actionlint.bash
+echo "${ACTIONLINT_DOWNLOAD_SCRIPT_SHA256}  download-actionlint.bash" | sha256sum -c -
+bash ./download-actionlint.bash "${ACTIONLINT_VERSION}"
+rm -f ./download-actionlint.bash
 echo "$HOME/bin/actionlint" >> "$GITHUB_PATH"