Skip to content

Add checksum verification for trivy downloads#108

Open
volker-fr wants to merge 1 commit into
reviewdog:mainfrom
volker-fr:main
Open

Add checksum verification for trivy downloads#108
volker-fr wants to merge 1 commit into
reviewdog:mainfrom
volker-fr:main

Conversation

@volker-fr

@volker-fr volker-fr commented May 11, 2026

Copy link
Copy Markdown

Proposed Change: Enforce Checksum Verification for Trivy Binaries
Problem:

Currently, the action downloads the Trivy binary without verifying its integrity. Since GitHub releases can be deleted and re-created, this poses a supply chain risk. There have been documented supply chain attacks targeting Trivy in the past.

Proposed Solutions:

Checksum Feature Flag: Allow users to provide a known SHA256 checksum via a GitHub Action input. Mainly for new versions not covered in the hardcoded checksum list.

Hardcoded Checksum list: Maintain a local mapping of versions to SHA256 checksums within the action logic.

Implementation Note:

To ensure 100% coverage using a local manifest, the trivy version must be pinned. Using the latest tag would cause the action to fail if a new version is released that is not yet present in our local checksum list. This keeps compatibility with the existing default workflow setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant