@@ -31,6 +31,17 @@ SKIP_TOOLS=false
3131SKIP_OPTIONAL=false
3232DRY_RUN=false
3333
34+ # Pinned tool versions and SHA256 checksums (linux/amd64)
35+ # Update these when upgrading tool versions — verify against official checksums files
36+ GITLEAKS_VERSION=" 8.18.0"
37+ GITLEAKS_SHA256=" 6e19050a3ee0688265ed3be4c46a0362487d20456ecd547e8c7328eaed3980cb"
38+ NUCLEI_VERSION=" 3.6.0"
39+ NUCLEI_SHA256=" 79c43b65124e80a1df59b6d8db11ec465fa597d30f968d60a1f22a11f8e65fff"
40+ OPA_VERSION=" 1.13.1"
41+ OPA_SHA256=" b6c96dbcaf9c1c03e95c326b9cdffc4f931bf6ac0ec93b3b98c1bac9deba93de"
42+ TRIVY_VERSION=" 0.48.0"
43+ TRIVY_SHA256=" 7ee49480f19afd6a704bb35b87df64f650a7b09300601dc8bb3537d6d0ca18ff"
44+
3445# Parse arguments
3546while [[ $# -gt 0 ]]; do
3647 case $1 in
@@ -95,6 +106,29 @@ run_cmd() {
95106 fi
96107}
97108
109+ # Verify SHA256 checksum of a downloaded file
110+ verify_checksum () {
111+ local file=" $1 "
112+ local expected=" $2 "
113+ if [ " $DRY_RUN " = true ]; then
114+ echo -e " ${YELLOW} [DRY RUN]${NC} Would verify checksum of $file "
115+ return 0
116+ fi
117+ local actual
118+ actual=$( sha256sum " $file " 2> /dev/null | awk ' {print $1}' )
119+ if [ -z " $actual " ]; then
120+ actual=$( shasum -a 256 " $file " 2> /dev/null | awk ' {print $1}' )
121+ fi
122+ if [ " $actual " != " $expected " ]; then
123+ error " Checksum verification FAILED for $file "
124+ error " Expected: $expected "
125+ error " Got: $actual "
126+ rm -f " $file "
127+ return 1
128+ fi
129+ info " Checksum verified: $file "
130+ }
131+
98132# Detect OS
99133detect_os () {
100134 if [[ " $OSTYPE " == " darwin" * ]]; then
@@ -298,11 +332,11 @@ install_tools_ubuntu() {
298332 # Gitleaks
299333 if ! command_exists gitleaks; then
300334 info " Installing gitleaks..."
301- GITLEAKS_VERSION= " 8.18.0 "
302- run_cmd wget " https://github.com/gitleaks/gitleaks/releases/download/v ${GITLEAKS_VERSION} / gitleaks_${GITLEAKS_VERSION} _linux_x64 .tar.gz"
303- run_cmd tar -xzf " gitleaks_${GITLEAKS_VERSION} _linux_x64 .tar.gz"
304- run_cmd sudo mv gitleaks /usr/local/bin/
305- run_cmd rm " gitleaks_${GITLEAKS_VERSION} _linux_x64 .tar.gz"
335+ run_cmd wget -q " https://github.com/gitleaks/gitleaks/releases/download/v ${ GITLEAKS_VERSION} /gitleaks_ ${GITLEAKS_VERSION} _linux_x64.tar.gz " -O " /tmp/gitleaks_ ${GITLEAKS_VERSION} .tar.gz "
336+ verify_checksum " /tmp/ gitleaks_${GITLEAKS_VERSION} .tar.gz" " $GITLEAKS_SHA256 "
337+ run_cmd tar -xzf " /tmp/ gitleaks_${GITLEAKS_VERSION} .tar.gz" -C /tmp gitleaks
338+ run_cmd sudo mv /tmp/ gitleaks /usr/local/bin/
339+ run_cmd rm " /tmp/ gitleaks_${GITLEAKS_VERSION} .tar.gz"
306340 else
307341 info " gitleaks already installed"
308342 fi
@@ -334,21 +368,22 @@ install_tools_ubuntu() {
334368 # Nuclei
335369 if ! command_exists nuclei; then
336370 info " Installing nuclei..."
337- NUCLEI_VERSION= " 3.6.0 "
338- run_cmd wget " https://github.com/projectdiscovery/nuclei/releases/download/v ${NUCLEI_VERSION} / nuclei_${NUCLEI_VERSION} _linux_amd64 .zip"
339- run_cmd unzip " nuclei_${NUCLEI_VERSION} _linux_amd64 .zip"
340- run_cmd sudo mv nuclei /usr/local/bin/
341- run_cmd rm " nuclei_${NUCLEI_VERSION} _linux_amd64 .zip"
371+ run_cmd wget -q " https://github.com/projectdiscovery/nuclei/releases/download/v ${NUCLEI_VERSION} /nuclei_ ${NUCLEI_VERSION} _linux_amd64.zip " -O " /tmp/nuclei_ ${NUCLEI_VERSION} .zip "
372+ verify_checksum " /tmp/ nuclei_${NUCLEI_VERSION} .zip" " $NUCLEI_SHA256 "
373+ run_cmd unzip -o " /tmp/ nuclei_${NUCLEI_VERSION} .zip" -d /tmp
374+ run_cmd sudo mv /tmp/ nuclei /usr/local/bin/
375+ run_cmd rm " /tmp/ nuclei_${NUCLEI_VERSION} .zip"
342376 else
343377 info " nuclei already installed"
344378 fi
345379
346380 # OPA
347381 if ! command_exists opa; then
348382 info " Installing OPA..."
349- run_cmd curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
350- run_cmd chmod 755 ./opa
351- run_cmd sudo mv opa /usr/local/bin/
383+ run_cmd curl -sSfL " https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION} /opa_linux_amd64_static" -o /tmp/opa
384+ verify_checksum /tmp/opa " $OPA_SHA256 "
385+ run_cmd chmod 755 /tmp/opa
386+ run_cmd sudo mv /tmp/opa /usr/local/bin/
352387 else
353388 info " opa already installed"
354389 fi
@@ -392,11 +427,11 @@ install_tools_rhel() {
392427 # Trivy
393428 if ! command_exists trivy; then
394429 info " Installing trivy..."
395- TRIVY_VERSION= " 0.48.0 "
396- run_cmd wget " https://github.com/aquasecurity/trivy/releases/download/v ${TRIVY_VERSION} / trivy_${TRIVY_VERSION} _Linux-64bit .tar.gz"
397- run_cmd tar -xzf " trivy_${TRIVY_VERSION} _Linux-64bit .tar.gz"
398- run_cmd sudo mv trivy /usr/local/bin/
399- run_cmd rm " trivy_${TRIVY_VERSION} _Linux-64bit .tar.gz"
430+ run_cmd wget -q " https://github.com/aquasecurity/trivy/releases/download/v ${ TRIVY_VERSION} /trivy_ ${TRIVY_VERSION} _Linux-64bit.tar.gz " -O " /tmp/trivy_ ${TRIVY_VERSION} .tar.gz "
431+ verify_checksum " /tmp/ trivy_${TRIVY_VERSION} .tar.gz" " $TRIVY_SHA256 "
432+ run_cmd tar -xzf " /tmp/ trivy_${TRIVY_VERSION} .tar.gz" -C /tmp trivy
433+ run_cmd sudo mv /tmp/ trivy /usr/local/bin/
434+ run_cmd rm " /tmp/ trivy_${TRIVY_VERSION} .tar.gz"
400435 else
401436 info " trivy already installed"
402437 fi
@@ -412,11 +447,11 @@ install_tools_rhel() {
412447 # Gitleaks
413448 if ! command_exists gitleaks; then
414449 info " Installing gitleaks..."
415- GITLEAKS_VERSION= " 8.18.0 "
416- run_cmd wget " https://github.com/gitleaks/gitleaks/releases/download/v ${GITLEAKS_VERSION} / gitleaks_${GITLEAKS_VERSION} _linux_x64 .tar.gz"
417- run_cmd tar -xzf " gitleaks_${GITLEAKS_VERSION} _linux_x64 .tar.gz"
418- run_cmd sudo mv gitleaks /usr/local/bin/
419- run_cmd rm " gitleaks_${GITLEAKS_VERSION} _linux_x64 .tar.gz"
450+ run_cmd wget -q " https://github.com/gitleaks/gitleaks/releases/download/v ${ GITLEAKS_VERSION} /gitleaks_ ${GITLEAKS_VERSION} _linux_x64.tar.gz " -O " /tmp/gitleaks_ ${GITLEAKS_VERSION} .tar.gz "
451+ verify_checksum " /tmp/ gitleaks_${GITLEAKS_VERSION} .tar.gz" " $GITLEAKS_SHA256 "
452+ run_cmd tar -xzf " /tmp/ gitleaks_${GITLEAKS_VERSION} .tar.gz" -C /tmp gitleaks
453+ run_cmd sudo mv /tmp/ gitleaks /usr/local/bin/
454+ run_cmd rm " /tmp/ gitleaks_${GITLEAKS_VERSION} .tar.gz"
420455 else
421456 info " gitleaks already installed"
422457 fi
@@ -448,21 +483,22 @@ install_tools_rhel() {
448483 # Nuclei
449484 if ! command_exists nuclei; then
450485 info " Installing nuclei..."
451- NUCLEI_VERSION= " 3.6.0 "
452- run_cmd wget " https://github.com/projectdiscovery/nuclei/releases/download/v ${NUCLEI_VERSION} / nuclei_${NUCLEI_VERSION} _linux_amd64 .zip"
453- run_cmd unzip " nuclei_${NUCLEI_VERSION} _linux_amd64 .zip"
454- run_cmd sudo mv nuclei /usr/local/bin/
455- run_cmd rm " nuclei_${NUCLEI_VERSION} _linux_amd64 .zip"
486+ run_cmd wget -q " https://github.com/projectdiscovery/nuclei/releases/download/v ${NUCLEI_VERSION} /nuclei_ ${NUCLEI_VERSION} _linux_amd64.zip " -O " /tmp/nuclei_ ${NUCLEI_VERSION} .zip "
487+ verify_checksum " /tmp/ nuclei_${NUCLEI_VERSION} .zip" " $NUCLEI_SHA256 "
488+ run_cmd unzip -o " /tmp/ nuclei_${NUCLEI_VERSION} .zip" -d /tmp
489+ run_cmd sudo mv /tmp/ nuclei /usr/local/bin/
490+ run_cmd rm " /tmp/ nuclei_${NUCLEI_VERSION} .zip"
456491 else
457492 info " nuclei already installed"
458493 fi
459494
460495 # OPA
461496 if ! command_exists opa; then
462497 info " Installing OPA..."
463- run_cmd curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
464- run_cmd chmod 755 ./opa
465- run_cmd sudo mv opa /usr/local/bin/
498+ run_cmd curl -sSfL " https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION} /opa_linux_amd64_static" -o /tmp/opa
499+ verify_checksum /tmp/opa " $OPA_SHA256 "
500+ run_cmd chmod 755 /tmp/opa
501+ run_cmd sudo mv /tmp/opa /usr/local/bin/
466502 else
467503 info " opa already installed"
468504 fi
0 commit comments