ci(pre-commit): fetch Trivy installer from pinned release tag#1238
ci(pre-commit): fetch Trivy installer from pinned release tag#1238cristim wants to merge 1 commit into
Conversation
|
Warning Review limit reached
More reviews will be available in 22 minutes and 12 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
The Install Trivy step fetched contrib/install.sh from the mutable main branch of aquasecurity/trivy and piped it straight into sh, so a malicious or accidental change to that script on main would execute arbitrary code on the CI runner, the exact supply-chain weakness the adjacent tflint step already guards against. Fetch the installer from the same pinned release tag as the Trivy binary (v0.69.3, via a TRIVY_VERSION env var so the pin lives in one place), download it to a file before executing it, and use curl -fsSL with set -euo pipefail so transport errors fail loudly instead of feeding an HTML error page into sh. This matches the tflint installer pattern in the same workflow. Verified with actionlint and by running the pinned-tag installer end-to-end with the same arguments (installs trivy 0.69.3). Closes #1187
|
@coderabbitai review |
✅ Action performedReview finished.
|
Adversarial review notesReviewed this as a CI supply-chain surface (any code path that lands an installer script on the runner is a CI compromise vector). Findings: No actionable changes neededThe fix is sound and matches the tflint pattern already in this workflow. Walked the supply chain end-to-end:
Considered, no change needed
Out-of-scope follow-upsNone. The PR's scope is exactly the INF-07 closure — leaving the broader CI red surface for the workflows that own those checks. CR re-requested. |
|
@coderabbitai review |
✅ Action performedReview finished.
|
Problem
Code-review finding INF-07 (#1187): the
Install Trivystep in.github/workflows/pre-commit.ymlfetchedcontrib/install.shfrom the mutablemainbranch of aquasecurity/trivy and piped it straight intosh:A compromised or accidentally broken
install.shon trivymainwould execute arbitrary code on the CI runner, the exact supply-chain weakness the adjacent tflint step in the same workflow already guards against by pinning its installer to a release tag.Fix
v0.69.3), introduced as a singleTRIVY_VERSIONenv var so the pin lives in one place.sh, matching the tflint installer pattern.curl -fsSLplusset -euo pipefailso transport errors fail loudly instead of feeding an HTML error page into the shell.Test evidence
actionlint .github/workflows/pre-commit.ymlpasses.contrib/install.shexists at thev0.69.3tag and ran the pinned-tag installer end-to-end with the same arguments (sh install.sh -b <dir> v0.69.3); it installed a workingtrivyreportingVersion: 0.69.3.Closes #1187
🤖 Generated with claude-flow