Skip to content

security: pin the gitleaks download with a SHA-256 checksum#483

Open
jeremy wants to merge 1 commit into
security/05-perms-and-exec-argsfrom
security/06-supply-chain-ci
Open

security: pin the gitleaks download with a SHA-256 checksum#483
jeremy wants to merge 1 commit into
security/05-perms-and-exec-argsfrom
security/06-supply-chain-ci

Conversation

@jeremy

@jeremy jeremy commented May 30, 2026

Copy link
Copy Markdown
Member

Pin the gitleaks download with a SHA-256 checksum

(Threat: T5 supply chain — an unpinned release download means a compromised or tampered gitleaks release asset executes in CI.)

  • gitleaks pinning: the secret-scanning workflow now verifies the gitleaks release tarball against a pinned SHA-256 (from the release checksums.txt) before installing it:

    env:
      GITLEAKS_VERSION: 8.21.2
      GITLEAKS_SHA256: 5bc41815076e6ed6ef8fbecc9d9b75bcae31f39029ceb55da08086315316e3ba
    run: |
      curl -sSfL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
      echo "${GITLEAKS_SHA256}  gitleaks.tar.gz" | sha256sum -c -
      tar -xzf gitleaks.tar.gz gitleaks
  • gosec gate (unchanged, rationale documented): the standalone gosec scan stays advisory (-no-fail, with full SARIF upload to the Security tab). Its enforcing counterpart is golangci-lint (make lint), which honors the repo's per-site //nolint:gosec suppressions; the standalone binary can't read those, and globally excluding rule IDs (e.g. G101/G204) to make it hard-fail would blind release scans to new hard-coded creds / unsafe exec.

History

This PR originally also set toolchain go1.26.3 and bumped golang.org/x/net to v0.55.0 / golang.org/x/term to v0.43.0, taking govulncheck ./... from 6 reachable advisories to "No vulnerabilities found." Main has since independently moved to go 1.26.5 with those same dependency versions, so after rebasing onto current main the dependency changes are subsumed and only the gitleaks pin remains.


Part 6/6 of the stacked security series. Base: security/05-perms-and-exec-args.

📚 Stack (merge bottom-up)

  1. security: reject foreign-host URLs in api to prevent token leak #478 — reject foreign-host URLs in api (base main)
  2. security: strip ANSI/OSC escapes from API-controlled output #479 — strip ANSI/OSC escapes from output
  3. security: harden OAuth discovery and token endpoints #480 — harden OAuth discovery / token endpoints
  4. security: close config trust-boundary gaps and gate completion loader #481 — close config trust-boundary gaps + completion gate
  5. security: tighten config-dir perms and validate plugin scope argv #482 — tighten config-dir perms + plugin scope argv
  6. security: pin the gitleaks download with a SHA-256 checksum #483 — pin the gitleaks download with a SHA-256 checksum

Each is independent except #482 depends on #481 (shared root.go). #478 can land first/alone.


Summary by cubic

Pins and verifies the gitleaks v8.21.2 Linux tarball in CI using the release’s SHA-256 before extraction, preventing swapped or tampered downloads in the secret-scanning workflow. The gosec step remains advisory (-no-fail) with SARIF upload; enforcement continues via golangci-lint.

Written for commit 1af8f25. Summary will update on new commits.

Review in cubic

Copilot AI review requested due to automatic review settings May 30, 2026 05:58
@github-actions github-actions Bot added ci CI/CD workflows deps labels May 30, 2026
@github-actions

github-actions Bot commented May 30, 2026

Copy link
Copy Markdown

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

  • .github/workflows/security.yml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Re-trigger cubic

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: feaed83814

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/security.yml Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the Go toolchain/dependencies to address reported CVEs and strengthens the CI security workflow by making security scanners more tamper-resistant and stricter.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

  • Add toolchain go1.26.3 and bump golang.org/x/net (and related indirect sums) to newer patched versions.
  • Harden gitleaks installation in CI by verifying the downloaded release tarball against a pinned SHA-256.
  • Tighten the standalone gosec CI job by removing -no-fail and excluding the existing accepted baseline rule set.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
go.mod Pins the Go toolchain and bumps indirect x/net / x/term versions.
go.sum Updates module checksums to match the bumped indirect dependencies.
.github/workflows/security.yml Hardens gitleaks install via checksum verification and turns gosec into a failing gate.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/security.yml Outdated
@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from e4a7a62 to a3ff017 Compare May 30, 2026 06:05
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from feaed83 to 3d62a58 Compare May 30, 2026 06:05
@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from a3ff017 to c1d95a4 Compare May 30, 2026 06:13
Copilot AI review requested due to automatic review settings May 30, 2026 06:13
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from 3d62a58 to 54c2ef1 Compare May 30, 2026 06:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/security.yml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 54c2ef1b25

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread go.mod
@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from c1d95a4 to fc26287 Compare May 30, 2026 06:24
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from 54c2ef1 to 6f3eab7 Compare May 30, 2026 06:24
@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from fc26287 to 7ae26db Compare May 30, 2026 07:51
Copilot AI review requested due to automatic review settings May 30, 2026 07:51
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from 6f3eab7 to 41c42c5 Compare May 30, 2026 07:51
@github-actions github-actions Bot added the bug Something isn't working label May 30, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/security.yml
@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from 7ae26db to 36ba2ba Compare May 30, 2026 08:27
Copilot AI review requested due to automatic review settings June 3, 2026 17:51

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

Comment thread go.mod
@robzolkos robzolkos force-pushed the security/06-supply-chain-ci branch from 6ad366d to 5522054 Compare June 3, 2026 17:55
@robzolkos

Copy link
Copy Markdown
Collaborator

We opened a small main-based PR with the minimal pieces needed to unblock main and the Nix install path: #508.

That PR intentionally limits scope to:

  • updating nixpkgs so go_1_26 provides Go 1.26.4
  • bumping golang.org/x/net / x/term to clear the current Trivy findings
  • refreshing the Nix vendorHash

Leaving the broader CI hardening/gitleaks/gosec work here for separate review.

@jeremy jeremy changed the title security: bump toolchain/x-net for CVEs and tighten CI gates security: pin the gitleaks download with a SHA-256 checksum Jul 13, 2026
@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from 4598b69 to 49bdd62 Compare July 13, 2026 22:56
Copilot AI review requested due to automatic review settings July 13, 2026 22:56
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from 5522054 to 054b4ec Compare July 13, 2026 22:56
@github-actions github-actions Bot removed the deps label Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from 49bdd62 to 5dae29c Compare July 13, 2026 23:23
Copilot AI review requested due to automatic review settings July 13, 2026 23:23
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from 054b4ec to 2f61d78 Compare July 13, 2026 23:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from 5dae29c to 479078d Compare July 13, 2026 23:48
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from 2f61d78 to 5d8d60d Compare July 13, 2026 23:48
Copilot AI review requested due to automatic review settings July 13, 2026 23:48

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@jeremy jeremy force-pushed the security/05-perms-and-exec-args branch from 479078d to fe86ea0 Compare July 14, 2026 00:07
Copilot AI review requested due to automatic review settings July 14, 2026 00:07
@jeremy jeremy force-pushed the security/06-supply-chain-ci branch from 5d8d60d to 26cfe5f Compare July 14, 2026 00:07

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

Verify the gitleaks release tarball against a pinned SHA-256 before
installing it in the secret-scanning workflow, so a compromised or
tampered release asset cannot execute in CI.

(Originally this PR also set toolchain go1.26.3 and bumped golang.org/x/net
to v0.55.0 to clear govulncheck-reachable advisories; main has since moved
to go 1.26.5 with those same dependency versions, so after rebasing the
dependency changes are subsumed and only the gitleaks pin remains.)

The standalone gosec scan stays advisory (-no-fail, full SARIF upload). Its
enforcing counterpart is golangci-lint (make lint), which honors the repo's
per-site //nolint:gosec suppressions; the standalone binary can't read those,
and globally excluding rule IDs (e.g. G101/G204) to make it hard-fail would
blind release scans to new hard-coded creds / unsafe exec.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment on lines +31 to +33
# SHA-256 of gitleaks_8.21.2_linux_x64.tar.gz (from the release
# checksums.txt). Pinning the artifact hash prevents a tampered or
# swapped release tarball from running in CI (supply-chain guard).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI/CD workflows enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants