reapply gromit config to main #254
Draft
probelabs / Visor: security
succeeded
Nov 26, 2025 in 59s
✅ Check Passed (Warnings Found)
security check passed. Found 3 warnings, but fail_if condition was not met.
Details
📊 Summary
- Total Issues: 3
- Warning Issues: 3
🔍 Failure Condition Results
Passed Conditions
- global_fail_if: Condition passed
Issues by Category
Security (3)
⚠️ .github/workflows/release.yml:343 - The reusable workflow for SBOM generation is pinned to themainbranch (TykTechnologies/github-actions/.github/workflows/sbom.yaml@main). This creates a supply chain risk, as any changes pushed to that branch will be automatically used, potentially introducing malicious code or breaking changes without review in this repository's context.⚠️ ci/Dockerfile.std:3 - The Dockerfile's base image has been changed todebian:trixie-slim. 'Trixie' is the current testing version of Debian and is not recommended for production use. Testing distributions are not as stable and may contain unpatched security vulnerabilities compared to the stable release.⚠️ .github/workflows/release.yml:257 - The package installation test jobs use thecurl | bashpattern to execute repository setup scripts frompackagecloud.io. This is risky because a compromise of the remote server or a man-in-the-middle attack could lead to arbitrary code execution in the CI environment. This pattern is used for both .deb (line 257) and .rpm (line 303) setups.
Powered by Visor from Probelabs
💡 TIP: You can chat with Visor using /visor ask <your question>
Annotations
Check warning on line 343 in .github/workflows/release.yml
probelabs / Visor: security
security Issue
The reusable workflow for SBOM generation is pinned to the `main` branch (`TykTechnologies/github-actions/.github/workflows/sbom.yaml@main`). This creates a supply chain risk, as any changes pushed to that branch will be automatically used, potentially introducing malicious code or breaking changes without review in this repository's context.
Raw output
Pin the reusable workflow to a specific, immutable version, preferably a commit SHA, or at least a release tag (e.g., `@v1.2.3`). This ensures that the workflow is deterministic and secure.
Check warning on line 3 in ci/Dockerfile.std
probelabs / Visor: security
security Issue
The Dockerfile's base image has been changed to `debian:trixie-slim`. 'Trixie' is the current testing version of Debian and is not recommended for production use. Testing distributions are not as stable and may contain unpatched security vulnerabilities compared to the stable release.
Raw output
Use the current stable version of Debian, which is `debian:bookworm-slim`, to ensure a secure and stable base for the production image.
Check warning on line 303 in .github/workflows/release.yml
probelabs / Visor: security
security Issue
The package installation test jobs use the `curl | bash` pattern to execute repository setup scripts from `packagecloud.io`. This is risky because a compromise of the remote server or a man-in-the-middle attack could lead to arbitrary code execution in the CI environment. This pattern is used for both .deb (line 257) and .rpm (line 303) setups.
Raw output
For improved security, download the script first, then execute it. If possible, verify the script's integrity via a checksum or signature before execution. Alternatively, replicate the necessary setup steps from the script directly within the workflow file to avoid executing remote code.
Loading