Remote script piped straight into a shell
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A run step downloads a script with curl or wget and pipes it directly into a shell. The fetched code is unpinned and unverified, so whoever controls that URL (or can intercept it) gets code execution on the runner with your job token and secrets.
Why it matters
curl | sh downloads a script and executes it in one step with no pinning and no verification. Whoever controls that URL, or anyone who can intercept the request, gets arbitrary code execution on the runner, which holds your job token and any secrets the step can see. A compromised or hijacked install host silently owns your pipeline.
How to fix it
Download to a file, verify it, then run it: fetch with curl -fsSL to a path, check a known checksum or signature, and only then execute. Better, install the tool through a pinned action or the runner package manager, or vendor a pinned binary with a checksum. Avoid piping network content straight into a shell.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo