| Field | Value |
|---|---|
| Category | BEST-PRAC-1 |
| Severity | HIGH |
| Auto-fix | ✗ |
What the check does
Flags anyrun: script (GitHub Actions and GitLab CI) that pipes a network fetch straight into an interpreter:
curl | sh match: an intervening sudo, flags like bash -s, non-shell interpreters (python3, node), and PowerShell’s iwr … | iex.
Why it matters
curl https://example.com/install.sh | sh downloads a remote script and pipes it directly into the shell. Risks:
- The remote host (or anyone in path) can serve different bytes on the next request.
- A compromise of the distribution endpoint becomes immediate arbitrary execution on your runner — with whatever secrets and permissions the workflow has.
- The script can detect it’s being piped (by reading file descriptors) and serve a benign version to inspectors and a malicious one to executors.
Vulnerable example
Safe alternatives
1. Use a pinned official action. Most popular installers publish asetup-foo action — pin it to a commit SHA per CICD-SEC-3.
runs-on: that image.