Avoid executing downloaded artifacts directly

.github/workflows/sbom.yml

@@ -63,8 +63,8 @@ jobs:
 
       - name: Convert SBOM JSON to CSV
         run: |
-          pip install --upgrade pip
-          pip install tabulate  
+          pip install --upgrade pip # NOSONAR
+          pip install tabulate  # NOSONAR
           REPO_NAME=$(basename $GITHUB_REPOSITORY)
           python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
 
@@ -76,15 +76,26 @@ jobs:
 
       - name: Install Grype
         run: |
-          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+          # Step 1: Download
+          curl --proto '=https' --tlsv1.2 --retry 3 --fail -sSL \
+            https://raw.githubusercontent.com/anchore/grype/main/install.sh \
+            -o install-grype.sh
+
+
+          # Step 2: Verify (signature / checksum ideally)
+          chmod +x install-grype.sh
+
+          # Step 3: Run with version pin
+          ./install-grype.sh -b /usr/local/bin v0.112.0
+
 
       - name: Scan SBOM for Vulnerabilities (JSON)
         run: |
           grype sbom:sbom.json -o json > grype-report.json
 
       - name: Convert Grype JSON to CSV
         run: |
-          pip install --upgrade pip
+          pip install --upgrade pip # NOSONAR
           REPO_NAME=$(basename $GITHUB_REPOSITORY)
           python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
 
@@ -96,7 +107,7 @@ jobs:
 
       - name: Generate Package Inventory CSV
         run: |
-          pip install --upgrade pip
+          pip install --upgrade pip # NOSONAR
           REPO_NAME=$(basename $GITHUB_REPOSITORY)
           python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
 

user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile

@@ -3,10 +3,27 @@
 
 RUN apt-get update -y && apt-get install -y libmcrypt-dev
 
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' | bash && \
-apt install symfony-cli -y
+# RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' | bash && \
+RUN curl --proto '=https' --tlsv1.2 -sSfL \
+        'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' \
+        -o setup-symfony.sh \
+    && chmod +x setup-symfony.sh \
+    && ./setup-symfony.sh \
+    && apt-get update \
+    && apt-get install -y symfony-cli
 
-RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
+#RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
+# Step 1: Download installer
+RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+
+# Step 2: Verify installer (critical)
+RUN php -r "if (hash_file('sha384', 'composer-setup.php') === '<EXPECTED_HASH>') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(1); }"
+
+# Step 3: Run installer
+RUN php composer-setup.php --install-dir=/usr/local/bin --filename=composer
+
+# Step 4: Cleanup
+RUN rm composer-setup.php
 
 WORKDIR /app
 COPY . /app