From 8b095a943c8d932524549be000144dac8c153e27 Mon Sep 17 00:00:00 2001
From: Tamara Barum <tamara.barum@optimizely.com>
Date: Thu, 5 Mar 2026 08:42:55 -0600
Subject: [PATCH 1/2] [Security] Fix curl|bash vulnerability in SourceClear
 scan

- Replace dangerous curl|bash pattern with official Veracode SCA action
- Use veracode/veracode-sca@v2 for secure, maintained scanning
- Addresses script injection vulnerability in CI/CD pipeline
- Related to commit 363cb85 (previous GitHub Actions security fix)

Security improvements:
- Official action from Veracode organization (signed and verified)
- No untrusted remote code execution
- Protected against MITM attacks
- Same SRCCLR_API_TOKEN authentication preserved
- Action is actively maintained and receives security updates

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/php.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
index 109abb8a..6870a2b4 100644
--- a/.github/workflows/php.yml
+++ b/.github/workflows/php.yml
@@ -28,10 +28,14 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
-      - name: Source clear scan
+
+      - name: Veracode SCA Scan
         env:
           SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
-        run: curl -sSL https://download.sourceclear.com/ci.sh | bash -s – scan
+        uses: veracode/veracode-sca@v2
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          create-issues: false
 
   unit_tests:
     name: Unit Tests ${{ matrix.php-versions }}

From f7cf07fda7b8f6f864b942c4744601757b40654d Mon Sep 17 00:00:00 2001
From: Tamara Barum <tamara.barum@optimizely.com>
Date: Wed, 11 Mar 2026 12:31:26 -0500
Subject: [PATCH 2/2] chore: Remove SourceClear scan workflow

Following Python SDK's approach (commit d651911), removing the
SourceClear GitHub Actions workflow to address security risks.

The curl|bash pattern in this workflow presented a security
vulnerability. Rather than replace with official action, we're
removing it entirely to align with the Python SDK security
remediation strategy.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/php.yml | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
index 6870a2b4..21ea2503 100644
--- a/.github/workflows/php.yml
+++ b/.github/workflows/php.yml
@@ -22,24 +22,9 @@ jobs:
       - name: Run linting
         run: composer lint
 
-  source_clear:
-    name: Source Clear Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Veracode SCA Scan
-        env:
-          SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
-        uses: veracode/veracode-sca@v2
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          create-issues: false
-
   unit_tests:
     name: Unit Tests ${{ matrix.php-versions }}
-    needs: [ linting, source_clear ]
+    needs: [ linting ]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false