Add supply chain analysis from bitwarden CLI attack

Audit of our Jinja2 image template macros against the attack pattern
from the @bitwarden/cli compromise (socket.dev, 2026-04-15). Maps
each mutable external reference in our macros to a risk tier and
proposes concrete fixes, starting with wait-for-it.j2 (commit pin +
SHA256 checksum) as the most acute gap.

Author: bschwedler

bitwarden-cli-supply-chain-analysis.md

@@ -0,0 +1,93 @@
+# Bitwarden CLI supply chain attack: applicability to Posit container images
+
+## What happened
+
+On 2026-04-15, attackers compromised `@bitwarden/cli` v2026.4.0 on npm by exploiting a GitHub Action in Bitwarden's CI/CD pipeline. Malicious code (`bw1.js`) was injected during the build process before publication. The payload harvested GitHub tokens, AWS/Azure/GCP credentials, npm tokens, SSH keys, and Claude/MCP settings from CI environments. Stolen npm tokens were reused to republish other packages with malicious preinstall hooks, propagating the attack.
+
+Source: https://socket.dev/blog/bitwarden-cli-compromised
+
+## Attack pattern
+
+1. Compromise a GitHub Action used in the target's CI pipeline
+2. Inject credential-harvesting code during the build step
+3. Published artifact looks legitimate — version bump, normal release workflow
+4. Consumers install the package and execute the payload in their own CI/build environments
+5. Stolen tokens propagate the attack to more packages
+
+## Applicability to our image templates
+
+Our Jinja2 macros download and execute external code during `docker build`. A compromised upstream source would inject malicious code into every image build — the same vector as the bitwarden attack, but at the container layer.
+
+### Mutable references (HIGH — no integrity verification)
+
+| Macro | Line | What it does | Risk |
+|---|---|---|---|
+| `wait-for-it.j2` | 5 | `curl` from `master` branch of `rstudio/wait-for-it`, no checksum | Mutable branch ref. Anyone with write access pushes arbitrary shell code into every image that uses this macro. |
+| `r.j2` | 25 | `curl \| bash` via `rstd.io/r-install` URL shortener | URL shortener adds a redirect layer. If `rstd.io` or the target script is compromised, arbitrary code runs. First-party Posit script, but still unverified. |
+| `apt.j2` | 8 | `curl \| bash` for Cloudsmith repo setup (`dl.posit.co/public/pro/setup.deb.sh`) | First-party, but `curl \| bash` with no checksum. |
+| `dnf.j2` | 13 | `curl \| bash` for Cloudsmith repo setup (`dl.posit.co/public/pro/setup.rpm.sh`) | Same as above, RPM variant. |
+
+### Mutable container tags (MEDIUM — tag can be re-pushed)
+
+| Macro | Line | What it does | Risk |
+|---|---|---|---|
+| `python.j2` | 47 | `FROM ghcr.io/astral-sh/uv:debian-slim` | Mutable tag. A compromised UV image injects into all Python builds. Cannot trivially pin to a digest because the tag intentionally floats to pick up new Python version support. |
+
+### Version-pinned but unverified (LOW — version in URL, no checksum)
+
+| Macro | Line | What it does | Risk |
+|---|---|---|---|
+| `quarto.j2` | 42 | Downloads tarball from GitHub releases by version | URL is version-pinned, so it requires compromising the specific release asset. Quarto publishes SHA256 checksums alongside releases that we could verify. |
+
+## What's already been done
+
+From posit-dev/platform-team#3 (fork-safe CI workflows):
+
+- **PR #441** (merged): SHA256 checksum verification for `setup-goss` and `setup-hadolint` composite actions
+- **PR #443** (merged): SHA pinning for all third-party GitHub Actions + zizmor CI linting
+- **PR #440** (merged): Script injection fixes in shared workflows
+- **Issue #453** (open): Sigstore attestations for published container images
+
+## Recommended changes
+
+### 1. Pin and checksum `wait-for-it.j2` (immediate)
+
+Pin the download URL to commit SHA `81b1373f17855a4dc21156cfe1694c31d7d1792e` and add SHA256 verification:
+
+```jinja2
+{%- set _COMMIT_SHA = "81b1373f17855a4dc21156cfe1694c31d7d1792e" -%}
+{%- set _SHA256 = "b7a04f38de1e51e7455ecf63151c8c7e405bd2d45a2d4e16f6419db737a125d6" -%}
+
+{% macro install() -%}
+curl -fsSL -o /usr/local/bin/wait-for-it.sh https://raw.githubusercontent.com/rstudio/wait-for-it/{{ _COMMIT_SHA }}/wait-for-it.sh && \
+echo "{{ _SHA256 }}  /usr/local/bin/wait-for-it.sh" | sha256sum -c - && \
+chmod +x /usr/local/bin/wait-for-it.sh
+{%- endmacro %}
+```
+
+### 2. Pin UV base image to versioned tag (short-term)
+
+Replace `ghcr.io/astral-sh/uv:debian-slim` with a version-pinned tag like `ghcr.io/astral-sh/uv:0.7.8-debian-slim`. Add a Dependabot or Renovate entry to keep it updated. This preserves reproducibility while allowing controlled updates.
+
+Pinning to a digest (`@sha256:...`) is more secure but would require manual updates whenever a new Python version needs UV support.
+
+### 3. Add checksum verification to Quarto downloads (short-term)
+
+Quarto publishes checksums at `https://github.com/quarto-dev/quarto-cli/releases/download/v{version}/quarto-{version}-checksums.txt`. Download and verify in the macro:
+
+```jinja2
+curl -fsSL -o /tmp/quarto-checksums.txt "https://github.com/quarto-dev/quarto-cli/releases/download/v{{ version }}/quarto-{{ version }}-checksums.txt" && \
+curl -fsSL -o /tmp/quarto.tar.gz "https://...tar.gz" && \
+grep "quarto-{{ version }}-linux-${TARGETARCH}.tar.gz" /tmp/quarto-checksums.txt | sha256sum -c - && \
+```
+
+### 4. Evaluate first-party `curl | bash` scripts (longer-term)
+
+The `rstd.io/r-install` and `dl.posit.co` Cloudsmith setup scripts are first-party Posit resources. The risk is lower, but the pattern is still `curl | bash` without verification. Options:
+
+- Pin the R install script to a tagged release and verify its checksum
+- For Cloudsmith setup scripts: these change when Cloudsmith updates their onboarding, so pinning is harder. Consider vendoring or checksumming.
+
+### 5. Complete Sigstore attestations (tracked)
+
+Already filed as posit-dev/images-shared#453. This provides end-to-end provenance for the published images themselves, complementing the build-time integrity checks above.