UNPKG

@pkgdeps/secretlint-rule-checksum

Version:

secretlint rule that check if checking checksum.

github.com/pkgdeps/unverified-checksum-checker/tree/master/packages/secretlint-rule-checksum/

pkgdeps/unverified-checksum-checker

109 lines (67 loc) 2.43 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# @pkgdeps/secretlint-rule-checksum [secretlint](https://github.com/secretlint/secretlint) rule that check if checking checksum. ## Install Install with [npm](https://www.npmjs.com/): npm install @pkgdeps/secretlint-rule-checksum Requirements: [secretlint](https://github.com/secretlint/secretlint) v4+ ## Usage Via `.secretlintrc.json`(Recommended) ```json { "rules": [ { "id": "@pkgdeps/secretlint-rule-checksum" } ] } ``` ## MessageIDs ### FOUND_UNVERIFIED_BINARY > found unverified binary: ${props.binary} You need to verify checksum of the executable binary. This rule found a unverified binary. Unverified binary is next definition. - Do `chmod +x binary` - And the binary is not verified by `checksum` command This rule aims to found untrusted binary that is downloaded by `curl` or `wget`. As a results, It will prevent Supply-chain attack via untrusted binary. verify-checksum-cheatsheet helps you how to verify the binary. - [pkgdeps/verify-checksum-cheatsheet: Checksum CheatSheet. You need to verify the checksum before executing the downloaded binary.](https://github.com/pkgdeps/verify-checksum-cheatsheet) ## Manual Verify This rule report some false-positive, So You can verify the binary by comment. This rule ignore the error if following comment is found around `chmod`. ```shell # {binary} is verified ``` For example, You can verify the `jq` binary by a comment. ```shell # jq is verified chmod 755 jq ``` or ```shell chmod 755 jq # jq is verified ``` ## Options - `allowBinaryNames: string[]` - Allows a list of binary name - For example, `["jq"]` ## Changelog See [Releases page](https://github.com/secretlint/secretlint/releases). ## Changelog See [Releases page](https://github.com/pkgdeps/unverified-checksum-checker/releases). ## Running tests Install devDependencies and Run `npm test`: npm test ## Contributing Pull requests and stars are always welcome. For bugs and feature requests, [please create an issue](https://github.com/pkgdeps/unverified-checksum-checker/issues). 1. Fork it! 2. Create your feature branch: `git checkout -b my-new-feature` 3. Commit your changes: `git commit -am 'Add some feature'` 4. Push to the branch: `git push origin my-new-feature` 5. Submit a pull request :D ## Author - azu: [GitHub](https://github.com/azu), [Twitter](https://twitter.com/azu_re) ## License MIT © azu