salesforce-developer

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The GitHub Actions and other CI steps download and execute the Salesforce CLI at runtime from the URL https://developer.salesforce.com/media/salesforce-cli/sf/channels/stable/sf-linux-x64.tar.xz (wget, extract, then run ./sfdx/bin/sf), which is a remote binary fetched and executed as a required CI dependency.