Add enhanced checksum validation infrastructure for tool downloads #104
Description
Summary
Add enhanced infrastructure for validating checksums on tool downloads to strengthen supply chain security for binary artifacts.
Motivation
While GitHub Actions are SHA-pinned, binary tool downloads (e.g., gitleaks in devcontainer) lack equivalent verification. This creates a gap in supply chain security.
Scope
In Scope
- Tool manifest (
tool-checksums.json) for tracking versions and SHA256 checksums - Staleness detection for manifested tools via GitHub Releases API
- Shell script download scanner to detect unverified downloads
- PowerShell verified download helper
- npm audit integration in PR validation
- Removal of harden-runner (redundant with existing controls)
Out of Scope
- Modifying devcontainer scripts to use manifest (follow-up after chore(devcontainer): enhance gitleaks installation with checksum verification #100)
Dependencies
This work layers on top of #100 which adds checksum verification to devcontainer gitleaks download. The manifest SHA matches the hardcoded SHA in #100.
Related PRs
- chore(devcontainer): enhance gitleaks installation with checksum verification #100 - chore(devcontainer): enhance gitleaks installation with checksum verification