Skip to content

[oblt-aw][security] Fix SEC-032 installer integrity verification#982

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
sec-032-installer-checksum-978-71d294be7245081c
Draft

[oblt-aw][security] Fix SEC-032 installer integrity verification#982
github-actions[bot] wants to merge 1 commit into
mainfrom
sec-032-installer-checksum-978-71d294be7245081c

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 20, 2026

Closes #978

This remediates SEC-032 in scripts/obs/install_security_detector_tools.sh by removing process-substitution execution of remote content and enforcing SHA-256 verification before running the installer.

Completed plan steps

  • Identify SEC-032 finding in the installer path
  • Replace bash <(curl ...) with explicit file download
  • Add cryptographic integrity check before execution
  • Execute installer only after checksum verification succeeds
  • Remove temporary downloaded installer file
  • Re-run validation commands and confirm SEC-032 no longer reports for this script

Implementation details

  • Updated scripts/obs/install_security_detector_tools.sh:
    • Added pinned checksum variable: ACTIONLINT_DOWNLOAD_SCRIPT_SHA256
    • Download installer script to /tmp/gh-aw/agent/download-actionlint.bash
    • Verify checksum via sha256sum -c -
    • Execute installer using local verified file
    • Delete temporary installer file after execution

Validation evidence

bash -n scripts/obs/install_security_detector_tools.sh
# (no output)

./scripts/obs/security-scan.sh . | grep 'SEC-032' || true
# (no output)

npm test --silent
✔ validateAutomergePr returns not ok for invalid pr number (1.137601ms)
✔ validateAutomergePr returns not ok when author not allowed (0.337029ms)
✔ validateAutomergePr returns not ok without merge-ready label (0.250217ms)
✔ validateAutomergePr returns not ok for draft, fork, or same ref (0.92805ms)
✔ validateAutomergePr returns ok when all gates pass (0.272999ms)
✔ validateAutomergePr allows elastic-vault-github-plugin-prod[bot] (0.193791ms)
i tests 6
i pass 6
i fail 0

/tmp/gh-aw/agent/venv/bin/pytest tests/ -q
91 passed in 0.17s

Security controls confirmation

  • Least-privilege: No workflow permission scopes were expanded; change is limited to installer script integrity checks.
  • Env-indirection: No secrets/tokens were added or interpolated into command strings.

Note

🔒 Integrity filter blocked 25 items

The following items were blocked because they don't meet the GitHub integrity level.

  • #978 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-032 — findings (2026-05-20) #978 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #978 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #966 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #951 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #937 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #928 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #916 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #903 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #888 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #872 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #858 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-043 — findings (2026-05-20) #979 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-032 — findings (2026-05-20) #978 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-031 — findings (2026-05-20) #977 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-030 — findings (2026-05-20) #976 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • ... and 9 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions
[oblt-aw][security] verify actionlint installer checksum
5577614 
Remediate SEC-032 by replacing process-substitution curl execution with an explicit download, SHA-256 verification, and then installer execution.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced May 21, 2026
Open
Open
Open
Open
@github-actions github-actions Bot mentioned this pull request Jun 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[oblt-aw][security] SEC-032 — findings (2026-05-20)

0 participants