Skip to content

GitHub Action evaluates curl's output

Avoid directly evaluating the output of a curlcommand. If possible, verify the integrity of the script by comparing its digest to a known value to ensure the script does not unexpectedly change.


Insecure Example

eval "$(curl"

Secure Example

curl >
echo "af986793a51..." | sha256sum --check && source