> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-9 — Downloaded artifact has no integrity check

> curl/wget downloads of binaries or archives without a paired checksum, signature, or attestation verification.

| Field    | Value                                                                                                                                                              |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Category | `CICD-SEC-9`                                                                                                                                                       |
| Severity | **MEDIUM**                                                                                                                                                         |
| OWASP    | [CICD-SEC-9: Improper Artifact Integrity Validation](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-09-Improper-Artifact-Integrity-Validation) |
| Auto-fix | ✗                                                                                                                                                                  |

## What the check does

Flags any inline `run:` script that fetches a binary or archive with `curl` or `wget` but does not perform an integrity check in the same step. The check looks at the entire script text for the download command and then for any of:

* `sha256sum`, `sha512sum`, `shasum`
* `openssl dgst`
* `gpg --verify`
* `cosign verify`, `cosign verify-blob`, `cosign verify-attestation`
* `slsa-verifier verify`
* `gh attestation verify`
* `minisign -V`, `signify -V`

If at least one verification command is present in the step, the check passes.

File-extension filter: only downloads of binary/archive shapes are flagged (`.tar`, `.tar.gz`, `.tgz`, `.zip`, `.deb`, `.rpm`, `.pkg`, `.msi`, `.exe`, `.jar`, `.war`, `.whl`, `.gem`, `.apk`, `.so`, `.dll`, `.dylib`, `.bin`, `.run`, `.sh`, `.7z`). Fetching JSON/text or piping straight to a shell are handled by other rules (the latter is [BEST-PRAC-1](/rules/best-prac-1)).

## Why it matters

A workflow that downloads `tool.tar.gz` and immediately extracts and runs it trusts:

* That the upstream server hasn't been compromised since the workflow author last looked.
* That the TLS chain hasn't been MITM'd on the runner.
* That a typo or unicode lookalike in the URL hasn't redirected to an attacker's CDN.

Any of those can swap the binary's contents without changing its path. The artifact then runs with the workflow's `GITHUB_TOKEN` and every secret in scope — a textbook supply-chain compromise.

A checksum or signature checked **in the same step** catches all three: the bytes the runner extracted have to match a value the workflow author wrote down.

## Vulnerable example

```yaml theme={null}
- name: Install tool
  run: |
    curl -L https://example.com/tool.tar.gz -o tool.tar.gz
    tar xzf tool.tar.gz
    ./tool/bin/tool --apply
```

## Safe alternatives

**Checksum pinned in the workflow:**

```yaml theme={null}
- name: Install tool
  run: |
    curl -L https://example.com/tool.tar.gz -o tool.tar.gz
    echo "a1b2c3...  tool.tar.gz" | sha256sum -c -
    tar xzf tool.tar.gz
```

**Signature verification via cosign:**

```yaml theme={null}
- name: Install tool
  run: |
    curl -LO https://example.com/tool
    curl -LO https://example.com/tool.sig
    cosign verify-blob --signature tool.sig --certificate tool.crt tool
    install -m 0755 tool /usr/local/bin/
```

**Provenance-based verification:**

```yaml theme={null}
- name: Install tool
  run: |
    gh release download v1.2.3 --repo example/tool --pattern 'tool.tar.gz'
    gh attestation verify tool.tar.gz --owner example
    tar xzf tool.tar.gz
```
