A08 Software Integrity Failures

What this means

SiteShadow flagged patterns where you may be pulling or executing code without strong integrity guarantees (unverified downloads, curl | bash, unsigned updates, or weak CI/CD controls).

Why it matters

• Supply chain compromise: attackers can replace build inputs or dependencies.
• CI is a high-value target: if your build pipeline is compromised, every release can be compromised.
• Silent persistence: integrity failures can be hard to detect until after damage is done.

Safer examples

1) Avoid curl | bash and verify artifacts

• Prefer package managers and signed releases.
• Verify checksums/signatures for downloaded binaries.

2) Lock down CI/CD and build outputs

• Use protected branches + required reviews.
• Require CI checks before merge.
• Store build artifacts with provenance/attestations when possible.

3) Generate SBOMs and keep lockfiles

These improve detection and response when a dependency incident happens (see SBOM01 / DEP01).

How SiteShadow detects it (high level)

• Flags high-risk patterns in build scripts and Dockerfiles (unverified downloads, insecure install commands).
• Looks for missing "gates" signals (e.g., no lockfile/SBOM, risky CI patterns where detectable).

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library