Skip to content

Merging to release-5.10: Gromit sync with tyk repo TT-16131 (#7542) #7551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Razeen-Abdal-Rahman merged 2 commits into from
Nov 19, 2025

add condition to prevent fips image creation on release

ea4f697
Select commit
Loading
Failed to load commit list.
Merged

Merging to release-5.10: Gromit sync with tyk repo TT-16131 (#7542) #7551

add condition to prevent fips image creation on release
ea4f697
Select commit
Loading
Failed to load commit list.
probelabs / Visor: security succeeded Nov 19, 2025 in 4m 52s

✅ Check Passed (Warnings Found)

security check passed. Found 1 warning, but fail_if condition was not met.

Details

📊 Summary

  • Total Issues: 1
  • Warning Issues: 1

Issues by Category

Security (1)

  • ⚠️ .github/workflows/release.yml:491 - The upgrade test workflow pipes a script from packagecloud.io directly to bash. This curl | bash pattern introduces a supply chain risk. If the packagecloud.io repository or the connection to it is compromised, arbitrary code could be executed within the CI runner. While this is in a test environment, it's a practice that should be avoided.

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check warning on line 492 in .github/workflows/release.yml

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The upgrade test workflow pipes a script from `packagecloud.io` directly to `bash`. This `curl | bash` pattern introduces a supply chain risk. If the `packagecloud.io` repository or the connection to it is compromised, arbitrary code could be executed within the CI runner. While this is in a test environment, it's a practice that should be avoided.
Raw output 
Download the script, verify its integrity (e.g., via a checksum), and then execute it. This prevents execution of a tampered script. For example: `curl -fsSL -o script.deb.sh ... && sha256sum -c script.sha256 && bash script.deb.sh`.
View more details on probelabs