curl/wget piped straight into a shell
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A RUN pipes a downloaded script directly into a shell (curl ... | bash), so whatever the remote server returns runs at build time with no integrity check. A compromised or man-in-the-middled URL is remote code execution.
Why it matters
Piping curl or wget straight into a shell runs whatever the remote server returns, at build time, with no signature or checksum check. If that URL is ever compromised or intercepted, the attacker gets arbitrary code execution in your image. The failure is silent because the pipe hides non-zero exits too.
How to fix it
Download to a file, verify it against a known checksum or signature, then execute it as a separate step. Prefer installing from the distro package manager or a pinned release artifact. If you must fetch a script, pin it to a specific commit/version and verify its hash before running.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo