Skip to content

Commit 6206897

Browse files
committed
ci(fix): enforce HTTPS on osv-scanner download to clear SonarCloud hotspot S6506 (#4)
1 parent 84c5540 commit 6206897

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

.github/workflows/ci.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,9 @@ jobs:
8484
run: |
8585
set -euo pipefail
8686
mkdir -p "$RUNNER_TEMP/osv"
87-
curl -fsSL -o "$RUNNER_TEMP/osv/osv-scanner" \
87+
# --proto '=https' --tlsv1.2: enforce HTTPS through redirects too, so a
88+
# downgrade to http can never serve the binary (satisfies S6506).
89+
curl --proto '=https' --tlsv1.2 -fsSL -o "$RUNNER_TEMP/osv/osv-scanner" \
8890
"https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/osv-scanner_linux_amd64"
8991
chmod +x "$RUNNER_TEMP/osv/osv-scanner"
9092
echo "$RUNNER_TEMP/osv" >> "$GITHUB_PATH"

0 commit comments

Comments
 (0)