Summary
The build and install path fetches executable content from mutable remote sources without integrity verification.
Evidence
compose/phpfpm/phpfpm:4 downloads install-php-extensions from a mutable latest URL.configs/installer/nextcloud_setup_default.sh:76-81 downloads the Nextcloud release tarball without checksum or signature verification.compose/notifypush/notifypush:16-18 clones notify_push by tag and builds it without pinning a commit or verifying provenance.
Risk
A compromised upstream release, tag move, CDN issue, or account takeover can turn a normal build/install into arbitrary code execution in the deployment pipeline.
Suggested Remediation
- Pin immutable versions for every fetched artifact.
- Verify checksums and signatures for downloaded release assets.
- Build
notify_push from a pinned commit or verified release archive.
- Avoid
latest in executable download URLs.
Summary
The build and install path fetches executable content from mutable remote sources without integrity verification.
Evidence
compose/phpfpm/phpfpm:4downloadsinstall-php-extensionsfrom a mutablelatestURL.configs/installer/nextcloud_setup_default.sh:76-81downloads the Nextcloud release tarball without checksum or signature verification.compose/notifypush/notifypush:16-18clonesnotify_pushby tag and builds it without pinning a commit or verifying provenance.Risk
A compromised upstream release, tag move, CDN issue, or account takeover can turn a normal build/install into arbitrary code execution in the deployment pipeline.
Suggested Remediation
notify_pushfrom a pinned commit or verified release archive.latestin executable download URLs.