Skip to content

chore(security): pin gitleaks 8.30.1 with sha256 verification#23

Merged
heznpc merged 1 commit intomainfrom
chore/pin-gitleaks
May 2, 2026
Merged

chore(security): pin gitleaks 8.30.1 with sha256 verification#23
heznpc merged 1 commit intomainfrom
chore/pin-gitleaks

Conversation

@heznpc
Copy link
Copy Markdown
Member

@heznpc heznpc commented May 2, 2026

From the 2026-05-01 audit (P0.3).

Every CI run was downloading whatever the GitHub releases API resolved as gitleaks/releases/latest at request time, no integrity check. A registry compromise or a tag-rewrite attack on gitleaks/gitleaks would silently swap the binary executed against our source tree.

Change

Replace the floating curl + grep + tar block with a version- and SHA256-pinned download. Bumping the version forces an explicit checksum update (visible in PR review).

GITLEAKS_VERSION: 8.30.1
GITLEAKS_SHA256: 551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb

Test plan

  • CI green (gitleaks 8.30.1 download + verify + scan still passes)

@heznpc
chore(security): pin gitleaks 8.30.1 with sha256 checksum verification
20063da 
Replace 'curl latest release' with a version- and checksum-pinned download.
Removes the implicit trust in whatever 'latest' resolved to at CI time and
makes the checksum bump-block visible in PR review when the version moves.

Checksum from:
  https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_checksums.txt
@heznpc heznpc merged commit 39612d0 into main May 2, 2026
1 check passed
@heznpc heznpc deleted the chore/pin-gitleaks branch May 2, 2026 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@heznpc