@pkgdeps/secretlint-rule-checksum

@pkgdeps/secretlint-rule-checksum

secretlint rule that check if checking checksum.

Install

Install with npm:

npm install @pkgdeps/secretlint-rule-checksum

Requirements: secretlint v4+

Usage

Via .secretlintrc.json(Recommended)

{
    "rules": [
        {
            "id": "@pkgdeps/secretlint-rule-checksum"
        }
    ]
}

MessageIDs

FOUND_UNVERIFIED_BINARY

found unverified binary: ${props.binary}

You need to verify checksum of the executable binary.

This rule found a unverified binary. Unverified binary is next definition.

• Do chmod +x binary
• And the binary is not verified by checksum command

This rule aims to found untrusted binary that is downloaded by curl or wget. As a results, It will prevent Supply-chain attack via untrusted binary.

verify-checksum-cheatsheet helps you how to verify the binary.

• pkgdeps/verify-checksum-cheatsheet: Checksum CheatSheet. You need to verify the checksum before executing the downloaded binary.

Manual Verify

This rule report some false-positive, So You can verify the binary by comment.

This rule ignore the error if following comment is found around chmod.

# {binary} is verified

For example, You can verify the jq binary by a comment.

# jq is verified
chmod 755 jq

or

chmod 755 jq # jq is verified

Options

• allowBinaryNames: string[]
  • Allows a list of binary name
  • For example, ["jq"]

Changelog

See Releases page.

Changelog

See Releases page.

Running tests

Install devDependencies and Run npm test:

npm test

Contributing

Pull requests and stars are always welcome.

For bugs and feature requests, please create an issue.

1. Fork it!
2. Create your feature branch: git checkout -b my-new-feature
3. Commit your changes: git commit -am 'Add some feature'
4. Push to the branch: git push origin my-new-feature
5. Submit a pull request :D

Author

• azu: GitHub, Twitter

License

MIT © azu

Changelog

1.3.1 (2021-11-24)

Bug Fixes

• checksum-collector: strip ' and " from binary name (ab4ba30)