[WIP] feat(security): add checksum validation infrastructure

[WilliamBerryiii]

Pull Request

Description

Introduces comprehensive checksum validation infrastructure for tool downloads and removes the audit-only harden-runner action from all workflows. This establishes a foundation for verifying the integrity of external binary downloads in CI/CD pipelines and development containers.

• feat(security): Added tool-checksums.json manifest for tracking tool versions with SHA256 checksums

  • Initial entry for gitleaks v8.18.2 with verified checksum
  • Supports staleness detection via GitHub Releases API

• feat(security): Added Get-ToolStaleness function to Test-SHAStaleness.ps1

  • Queries GitHub Releases API to detect outdated tool versions
  • Returns comparison between manifest and latest releases

• feat(security): Added shell-downloads ecosystem to Test-DependencyPinning.ps1

  • New Test-ShellDownloadSecurity function scans shell scripts for curl/wget downloads
  • Detects downloads lacking sha256sum/shasum verification within 5 lines

• feat(lib): Added Get-VerifiedDownload.ps1 helper script

  • Downloads and verifies files using SHA256 checksums
  • Supports optional extraction after verification

• feat(ci): Added npm-audit job to pr-validation.yml

  • Runs npm audit --audit-level=moderate on pull requests

• refactor(workflows): Removed harden-runner from 9 workflow files

  • dependency-pinning-scan.yml, frontmatter-validation.yml, link-lang-check.yml
  • markdown-link-check.yml, markdown-lint.yml, ps-script-analyzer.yml
  • sha-staleness-check.yml, spell-check.yml, table-format.yml

• docs(workflows): Updated README.md to remove harden-runner references

  • Removed "Network Hardening" section
  • Updated new workflow checklist guidance

• chore(security): Removed harden-runner SHA mapping from Update-ActionSHAPinning.ps1

Related Issue(s)

Fixes #105

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

Other:

• Script/automation (.ps1, .sh, .py)

Testing

• Ran npm run lint:ps (PSScriptAnalyzer) - all scripts pass
• Ran npm run lint:md - all markdown passes
• Verified Test-ShellDownloadSecurity correctly detects downloads with and without checksum verification

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

• This PR layers on top of PR chore(devcontainer): enhance gitleaks installation with checksum verification #100 (devcontainer checksum verification) which uses the same gitleaks SHA256
• The Test-ShellDownloadSecurity function validates that curl/wget downloads have checksum verification, which PR chore(devcontainer): enhance gitleaks installation with checksum verification #100's on-create.sh already implements correctly

🔒 - Generated by Copilot

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

• .github/workflows/markdown-lint.yml
• .github/workflows/table-format.yml

[Copilot]

Pull request overview

This PR introduces checksum validation infrastructure for tool downloads and removes the audit-only harden-runner action from workflows. While the direction is sound, several implementation issues prevent the new infrastructure from being functional.

Key concerns:

• Get-ToolStaleness function is defined but never called
• Test-ShellDownloadSecurity function is defined but not integrated into the scanning logic
• Get-VerifiedDownload.ps1 has compatibility issues (tar.gz extraction not supported)

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
scripts/security/tool-checksums.json	New manifest for tracking tool versions with SHA256 checksums; schema reference is generic rather than project-specific
scripts/security/Test-SHAStaleness.ps1	Adds Get-ToolStaleness function for querying GitHub Releases API, but function is never invoked; version comparison uses string equality instead of semantic versioning
scripts/security/Test-DependencyPinning.ps1	Adds shell-downloads ecosystem and Test-ShellDownloadSecurity function, but not integrated into main scanning flow; regex pattern has potential false positive issues
scripts/lib/Get-VerifiedDownload.ps1	New helper for verified downloads; has critical issues with tar.gz extraction support, exit handling, and ExtractPath parameter documentation
scripts/security/Update-ActionSHAPinning.ps1	Removes harden-runner SHA mapping, consistent with workflow removals
.github/workflows/*.yml (9 files)	Cleanly removes harden-runner steps from all validation workflows
.github/workflows/pr-validation.yml	Adds npm-audit job following established patterns
.github/workflows/README.md	Updates documentation to remove harden-runner references

[Copilot]

The $schema field references a generic JSON Schema draft but should point to an actual schema file that defines the structure of this manifest. Consider creating a JSON Schema file (e.g., tool-checksums.schema.json) that validates the structure of this manifest, similar to how the codebase uses schemas for frontmatter validation (as seen in scripts/linting/schemas/).

Suggested change

	"$schema": "https://json-schema.org/draft/2020-12/schema",
	"$schema": "../linting/schemas/tool-checksums.schema.json",

[Copilot]

The download pattern '(curl|wget)\s+.*https?://[^\s]+' will match lines with curl or wget commands but may produce false positives. It doesn't account for:

1. Commented-out commands (lines starting with #)
2. Commands in strings or heredocs
3. curl/wget appearing in URLs or variable names

Consider adding a check to exclude commented lines (e.g., if ($line -match '^\s*#')) and potentially using more precise regex patterns.

[Copilot]

The version comparison $latestVersion -ne $tool.version uses simple string equality, which will incorrectly identify versions as stale. For example, "8.18.2" and "8.18.10" would be considered different using string comparison, but semantic version comparison would properly identify 8.18.10 as newer. Consider using semantic version comparison (e.g., [System.Version] casting) or a semver library to properly determine if an update is available.

Suggested change

	$isStale = $latestVersion -ne $tool.version
	try {
	$currentVerObj = [System.Version]$tool.version
	$latestVerObj = [System.Version]$latestVersion
	$isStale = $currentVerObj -lt $latestVerObj
	}
	catch {
	# Fallback to string comparison if version parsing fails
	$isStale = $latestVersion -ne $tool.version
	}

[Copilot]

The condition if ($Extract -and $ExtractPath) means that extraction will silently fail if -Extract is specified but -ExtractPath is not provided. Consider making ExtractPath mandatory when Extract is used, or provide a better error message, or default to extracting in the same directory as OutputPath.

[Copilot]

The SearchPaths property is specific to shell-downloads but is not used by any other ecosystem in $DependencyPatterns. This inconsistency suggests incomplete implementation. If this is a custom property for the ValidationFunc approach, it should be documented or the design should be revised to match the pattern used by other ecosystems (FilePatterns + VersionPatterns).

Suggested change

	FilePatterns = @('*.sh')
	SearchPaths = @('.devcontainer/scripts', 'scripts')
	FilePatterns = @('**/.devcontainer/scripts/*.sh', '**/scripts/*.sh')

[Copilot]

The script uses exit 1 which will terminate the entire PowerShell session when run as a script. This is problematic if the script is dot-sourced or used as a function. Consider using throw instead to allow proper error handling by the caller, or use return with a proper error status if this is intended to be a standalone script.

Suggested change

	Write-Error "Checksum verification failed!`nExpected: $ExpectedSHA256`nActual: $actualHash"
	exit 1
	}
	throw "Checksum verification failed!`nExpected: $ExpectedSHA256`nActual: $actualHash"
	}

[Copilot]

Expand-Archive is only available for .zip files in PowerShell. This will fail for .tar.gz files (like the gitleaks download mentioned in tool-checksums.json). Consider using platform-appropriate extraction commands (e.g., tar on Linux/macOS) or checking the file extension and choosing the appropriate extraction method.

Suggested change

	Expand-Archive -Path $tempFile -DestinationPath $ExtractPath -Force
	}
	$fileExt = [System.IO.Path]::GetExtension($tempFile).ToLowerInvariant()
	$fileName = [System.IO.Path]::GetFileName($tempFile).ToLowerInvariant()
	if ($fileExt -eq ".zip") {
	Expand-Archive -Path $tempFile -DestinationPath $ExtractPath -Force
	}
	elseif ($fileName -match "\.tar\.gz$" -or $fileExt -eq ".tgz") {
	# Use tar for .tar.gz and .tgz
	Write-Host "Extracting tar.gz/tgz archive using tar"
	$tarCmd = "tar"
	$tarArgs = "xf `"$tempFile`" -C `"$ExtractPath`""
	$process = Start-Process -FilePath $tarCmd -ArgumentList $tarArgs -NoNewWindow -Wait -PassThru
	if ($process.ExitCode -ne 0) {
	Write-Error "Extraction failed for tar.gz/tgz archive."
	exit 1
	}
	}
	elseif ($fileExt -eq ".tar") {
	# Use tar for .tar
	Write-Host "Extracting tar archive using tar"
	$tarCmd = "tar"
	$tarArgs = "xf `"$tempFile`" -C `"$ExtractPath`""
	$process = Start-Process -FilePath $tarCmd -ArgumentList $tarArgs -NoNewWindow -Wait -PassThru
	if ($process.ExitCode -ne 0) {
	Write-Error "Extraction failed for tar archive."
	exit 1
	}
	}
	else {
	Write-Error "Unsupported archive format: $fileExt. Only .zip, .tar.gz, .tgz, and .tar are supported."
	exit 1
	}

[Copilot]

The shell-downloads ecosystem is defined with a ValidationFunc property, but this function is never invoked in the main execution flow. The main script only calls Get-DependencyViolation which uses VersionPatterns to scan files. Since shell-downloads doesn't define VersionPatterns, this ecosystem will not be checked. Either integrate Test-ShellDownloadSecurity into the scanning logic or remove this unused configuration.

Suggested change

	'shell-downloads' = @{
	FilePatterns = @('*.sh')
	SearchPaths = @('.devcontainer/scripts', 'scripts')
	ValidationFunc = 'Test-ShellDownloadSecurity'
	Description = 'Shell script downloads must include checksum verification'
	}

[Copilot]

The Get-ToolStaleness function is defined but never called in the script's main execution block. This means tool staleness checking from tool-checksums.json won't actually run. Either add a call to this function in the main execution block or remove it if it's intended for future use.

[WilliamBerryiii]

The issues (PR comments) in this will be resolved after PR #100 merges.