Will It Vibe logoWill It Vibe?
DOCKER-022High severity-15 points

curl/wget piped straight into a shell

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A RUN pipes a downloaded script directly into a shell (curl ... | bash), so whatever the remote server returns runs at build time with no integrity check. A compromised or man-in-the-middled URL is remote code execution.

Why it matters

Piping curl or wget straight into a shell runs whatever the remote server returns, at build time, with no signature or checksum check. If that URL is ever compromised or intercepted, the attacker gets arbitrary code execution in your image. The failure is silent because the pipe hides non-zero exits too.

How to fix it

Download to a file, verify it against a known checksum or signature, then execute it as a separate step. Prefer installing from the distro package manager or a pinned release artifact. If you must fetch a script, pin it to a specific commit/version and verify its hash before running.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks