security: Add SHA256 integrity verification to all binary downloads

All external tool downloads now verify SHA256 checksums before
installation, mitigating supply-chain attacks via compromised releases
or MITM. Also fixes 3 bugs: Gitleaks 404 (linux_amd64 -> linux_x64),
OPA unpinned "latest" -> v1.13.1, Nuclei unpinned in DAST dockerfile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: devatsecure

Dockerfile

@@ -10,7 +10,7 @@ LABEL org.opencontainers.image.licenses="MIT"
 LABEL org.opencontainers.image.source="https://github.com/devatsecure/Argus-Security"
 
 # Install uv for fast dependency resolution (10x faster than pip)
-COPY --from=ghcr.io/astral-sh/uv:0.5.11 /uv /bin/uv
+COPY --from=ghcr.io/astral-sh/uv:0.5.11@sha256:7e479fa39802632c25b4e5c14ddfab9c5f443cd7c89626a0408d31a0b7afc193 /uv /bin/uv
 
 # Set environment variables
 ENV PYTHONUNBUFFERED=1 \
@@ -29,10 +29,14 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Gitleaks (secret scanner)
+# Install Gitleaks (secret scanner) — pinned with SHA256 verification
 RUN GITLEAKS_VERSION="8.18.4" && \
-    curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_amd64.tar.gz" | \
-    tar xz -C /usr/local/bin gitleaks && \
+    GITLEAKS_SHA256="ba6dbb656933921c775ee5a2d1c13a91046e7952e9d919f9bac4cec61d628e7d" && \
+    curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+        -o /tmp/gitleaks.tar.gz && \
+    echo "${GITLEAKS_SHA256}  /tmp/gitleaks.tar.gz" | sha256sum --check && \
+    tar xz -C /usr/local/bin gitleaks -f /tmp/gitleaks.tar.gz && \
+    rm /tmp/gitleaks.tar.gz && \
     chmod +x /usr/local/bin/gitleaks
 
 # Create non-root user for security

action.yml

@@ -499,7 +499,13 @@ runs:
           pip install -q semgrep || true
 
           echo "Installing Trivy..."
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin || echo "Warning: Trivy installation failed"
+          TRIVY_VERSION="0.58.2"
+          TRIVY_SHA256="aa2c0ed6932ae70171b4f0f3fdb0403e29d9ce7e6fddad0ea08d440fdd695742"
+          curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -o /tmp/trivy.tar.gz \
+            && echo "${TRIVY_SHA256}  /tmp/trivy.tar.gz" | sha256sum --check \
+            && tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \
+            && rm /tmp/trivy.tar.gz \
+            || echo "Warning: Trivy installation failed"
         fi
 
         # Install Checkov (IaC scanning)

docker/dast-mvp.dockerfile

@@ -13,21 +13,30 @@ RUN apt-get update && apt-get install -y \
     wget \
     unzip \
     ca-certificates \
-    golang-go \
     docker.io \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Nuclei
-RUN go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest && \
-    cp /root/go/bin/nuclei /usr/local/bin/nuclei
+# Install Nuclei — pinned with SHA256 verification
+RUN NUCLEI_VERSION="3.1.0" && \
+    NUCLEI_SHA256="0a8b27f6302e41b9daf9ebc7892f0c8fe6a893987d1fcb5313879dbc3e145d3c" && \
+    curl -sSfL "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip" \
+        -o /tmp/nuclei.zip && \
+    echo "${NUCLEI_SHA256}  /tmp/nuclei.zip" | sha256sum --check && \
+    unzip /tmp/nuclei.zip -d /usr/local/bin && \
+    rm /tmp/nuclei.zip && \
+    chmod +x /usr/local/bin/nuclei
 
 # Verify Nuclei installation
 RUN nuclei -version
 
-# Install Gitleaks (secret scanner)
+# Install Gitleaks (secret scanner) — pinned with SHA256 verification
 RUN GITLEAKS_VERSION="8.18.4" && \
-    curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_amd64.tar.gz" | \
-    tar xz -C /usr/local/bin gitleaks && \
+    GITLEAKS_SHA256="ba6dbb656933921c775ee5a2d1c13a91046e7952e9d919f9bac4cec61d628e7d" && \
+    curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+        -o /tmp/gitleaks.tar.gz && \
+    echo "${GITLEAKS_SHA256}  /tmp/gitleaks.tar.gz" | sha256sum --check && \
+    tar xz -C /usr/local/bin gitleaks -f /tmp/gitleaks.tar.gz && \
+    rm /tmp/gitleaks.tar.gz && \
     chmod +x /usr/local/bin/gitleaks
 
 # Install ZAP (will use Docker-in-Docker)

scripts/install_dependencies.sh

@@ -31,6 +31,17 @@ SKIP_TOOLS=false
 SKIP_OPTIONAL=false
 DRY_RUN=false
 
+# Pinned tool versions and SHA256 checksums (linux/amd64)
+# Update these when upgrading tool versions — verify against official checksums files
+GITLEAKS_VERSION="8.18.0"
+GITLEAKS_SHA256="6e19050a3ee0688265ed3be4c46a0362487d20456ecd547e8c7328eaed3980cb"
+NUCLEI_VERSION="3.6.0"
+NUCLEI_SHA256="79c43b65124e80a1df59b6d8db11ec465fa597d30f968d60a1f22a11f8e65fff"
+OPA_VERSION="1.13.1"
+OPA_SHA256="b6c96dbcaf9c1c03e95c326b9cdffc4f931bf6ac0ec93b3b98c1bac9deba93de"
+TRIVY_VERSION="0.48.0"
+TRIVY_SHA256="7ee49480f19afd6a704bb35b87df64f650a7b09300601dc8bb3537d6d0ca18ff"
+
 # Parse arguments
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -95,6 +106,29 @@ run_cmd() {
     fi
 }
 
+# Verify SHA256 checksum of a downloaded file
+verify_checksum() {
+    local file="$1"
+    local expected="$2"
+    if [ "$DRY_RUN" = true ]; then
+        echo -e "${YELLOW}[DRY RUN]${NC} Would verify checksum of $file"
+        return 0
+    fi
+    local actual
+    actual=$(sha256sum "$file" 2>/dev/null | awk '{print $1}')
+    if [ -z "$actual" ]; then
+        actual=$(shasum -a 256 "$file" 2>/dev/null | awk '{print $1}')
+    fi
+    if [ "$actual" != "$expected" ]; then
+        error "Checksum verification FAILED for $file"
+        error "  Expected: $expected"
+        error "  Got:      $actual"
+        rm -f "$file"
+        return 1
+    fi
+    info "Checksum verified: $file"
+}
+
 # Detect OS
 detect_os() {
     if [[ "$OSTYPE" == "darwin"* ]]; then
@@ -298,11 +332,11 @@ install_tools_ubuntu() {
     # Gitleaks
     if ! command_exists gitleaks; then
         info "Installing gitleaks..."
-        GITLEAKS_VERSION="8.18.0"
-        run_cmd wget "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
-        run_cmd tar -xzf "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
-        run_cmd sudo mv gitleaks /usr/local/bin/
-        run_cmd rm "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+        run_cmd wget -q "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -O "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz"
+        verify_checksum "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz" "$GITLEAKS_SHA256"
+        run_cmd tar -xzf "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz" -C /tmp gitleaks
+        run_cmd sudo mv /tmp/gitleaks /usr/local/bin/
+        run_cmd rm "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz"
     else
         info "gitleaks already installed"
     fi
@@ -334,21 +368,22 @@ install_tools_ubuntu() {
         # Nuclei
         if ! command_exists nuclei; then
             info "Installing nuclei..."
-            NUCLEI_VERSION="3.6.0"
-            run_cmd wget "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
-            run_cmd unzip "nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
-            run_cmd sudo mv nuclei /usr/local/bin/
-            run_cmd rm "nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
+            run_cmd wget -q "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip" -O "/tmp/nuclei_${NUCLEI_VERSION}.zip"
+            verify_checksum "/tmp/nuclei_${NUCLEI_VERSION}.zip" "$NUCLEI_SHA256"
+            run_cmd unzip -o "/tmp/nuclei_${NUCLEI_VERSION}.zip" -d /tmp
+            run_cmd sudo mv /tmp/nuclei /usr/local/bin/
+            run_cmd rm "/tmp/nuclei_${NUCLEI_VERSION}.zip"
         else
             info "nuclei already installed"
         fi
 
         # OPA
         if ! command_exists opa; then
             info "Installing OPA..."
-            run_cmd curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
-            run_cmd chmod 755 ./opa
-            run_cmd sudo mv opa /usr/local/bin/
+            run_cmd curl -sSfL "https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION}/opa_linux_amd64_static" -o /tmp/opa
+            verify_checksum /tmp/opa "$OPA_SHA256"
+            run_cmd chmod 755 /tmp/opa
+            run_cmd sudo mv /tmp/opa /usr/local/bin/
         else
             info "opa already installed"
         fi
@@ -392,11 +427,11 @@ install_tools_rhel() {
     # Trivy
     if ! command_exists trivy; then
         info "Installing trivy..."
-        TRIVY_VERSION="0.48.0"
-        run_cmd wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
-        run_cmd tar -xzf "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
-        run_cmd sudo mv trivy /usr/local/bin/
-        run_cmd rm "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
+        run_cmd wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O "/tmp/trivy_${TRIVY_VERSION}.tar.gz"
+        verify_checksum "/tmp/trivy_${TRIVY_VERSION}.tar.gz" "$TRIVY_SHA256"
+        run_cmd tar -xzf "/tmp/trivy_${TRIVY_VERSION}.tar.gz" -C /tmp trivy
+        run_cmd sudo mv /tmp/trivy /usr/local/bin/
+        run_cmd rm "/tmp/trivy_${TRIVY_VERSION}.tar.gz"
     else
         info "trivy already installed"
     fi
@@ -412,11 +447,11 @@ install_tools_rhel() {
     # Gitleaks
     if ! command_exists gitleaks; then
         info "Installing gitleaks..."
-        GITLEAKS_VERSION="8.18.0"
-        run_cmd wget "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
-        run_cmd tar -xzf "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
-        run_cmd sudo mv gitleaks /usr/local/bin/
-        run_cmd rm "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+        run_cmd wget -q "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -O "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz"
+        verify_checksum "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz" "$GITLEAKS_SHA256"
+        run_cmd tar -xzf "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz" -C /tmp gitleaks
+        run_cmd sudo mv /tmp/gitleaks /usr/local/bin/
+        run_cmd rm "/tmp/gitleaks_${GITLEAKS_VERSION}.tar.gz"
     else
         info "gitleaks already installed"
     fi
@@ -448,21 +483,22 @@ install_tools_rhel() {
         # Nuclei
         if ! command_exists nuclei; then
             info "Installing nuclei..."
-            NUCLEI_VERSION="3.6.0"
-            run_cmd wget "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
-            run_cmd unzip "nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
-            run_cmd sudo mv nuclei /usr/local/bin/
-            run_cmd rm "nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
+            run_cmd wget -q "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip" -O "/tmp/nuclei_${NUCLEI_VERSION}.zip"
+            verify_checksum "/tmp/nuclei_${NUCLEI_VERSION}.zip" "$NUCLEI_SHA256"
+            run_cmd unzip -o "/tmp/nuclei_${NUCLEI_VERSION}.zip" -d /tmp
+            run_cmd sudo mv /tmp/nuclei /usr/local/bin/
+            run_cmd rm "/tmp/nuclei_${NUCLEI_VERSION}.zip"
         else
             info "nuclei already installed"
         fi
 
         # OPA
         if ! command_exists opa; then
             info "Installing OPA..."
-            run_cmd curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
-            run_cmd chmod 755 ./opa
-            run_cmd sudo mv opa /usr/local/bin/
+            run_cmd curl -sSfL "https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION}/opa_linux_amd64_static" -o /tmp/opa
+            verify_checksum /tmp/opa "$OPA_SHA256"
+            run_cmd chmod 755 /tmp/opa
+            run_cmd sudo mv /tmp/opa /usr/local/bin/
         else
             info "opa already installed"
         fi

scripts/install_security_tools.sh

@@ -21,6 +21,10 @@ INSTALL_FOUNDATION_SEC=false
 INSTALL_TRIVY=true
 INSTALL_SEMGREP=true
 
+# Pinned Trivy version and SHA256 checksum (linux/amd64)
+TRIVY_VERSION="0.58.2"
+TRIVY_SHA256="aa2c0ed6932ae70171b4f0f3fdb0403e29d9ce7e6fddad0ea08d440fdd695742"
+
 while [[ $# -gt 0 ]]; do
     case $1 in
         --foundation-sec)
@@ -81,6 +85,25 @@ command_exists() {
     command -v "$1" >/dev/null 2>&1
 }
 
+# Verify SHA256 checksum of a downloaded file
+verify_checksum() {
+    local file="$1"
+    local expected="$2"
+    local actual
+    actual=$(sha256sum "$file" 2>/dev/null | awk '{print $1}')
+    if [ -z "$actual" ]; then
+        actual=$(shasum -a 256 "$file" 2>/dev/null | awk '{print $1}')
+    fi
+    if [ "$actual" != "$expected" ]; then
+        echo -e "${RED}Checksum verification FAILED for $file${NC}"
+        echo -e "${RED}  Expected: $expected${NC}"
+        echo -e "${RED}  Got:      $actual${NC}"
+        rm -f "$file"
+        return 1
+    fi
+    echo -e "${GREEN}Checksum verified: $file${NC}"
+}
+
 # Function: Install Semgrep
 install_semgrep() {
     echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
@@ -135,19 +158,28 @@ install_trivy() {
 
     if [[ "$OS" == "linux" ]]; then
         # Linux installation
-        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+        curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -o /tmp/trivy.tar.gz
+        verify_checksum /tmp/trivy.tar.gz "$TRIVY_SHA256"
+        tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
+        rm /tmp/trivy.tar.gz
     elif [[ "$OS" == "macos" ]]; then
         # macOS installation
         if command_exists brew; then
             echo "   Using Homebrew..."
             brew install trivy
         else
             echo "   Homebrew not found, using install script..."
-            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+            curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_macOS-64bit.tar.gz" -o /tmp/trivy.tar.gz
+            # Note: macOS uses a different binary; checksum verification skipped for macOS (use brew instead)
+            tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
+            rm /tmp/trivy.tar.gz
         fi
     else
-        # Fallback: Use install script
-        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+        # Fallback: Use direct download
+        curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -o /tmp/trivy.tar.gz
+        verify_checksum /tmp/trivy.tar.gz "$TRIVY_SHA256"
+        tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
+        rm /tmp/trivy.tar.gz
     fi
 
     # Verify installation