Automate SRI Hash Generation in CI/CD

Q: Automate SRI Hash Generation in CI/CD

## Automating SRI Hash Generation Manual SRI hash generation is error-prone and does not scale. As your application grows and dependencies are updated, automating hash generation in your build pipeline ensures that integrity attributes are always correct and up to date. ### Command-Line Generation The simplest automation approach uses standard Unix tools: bash #!/bin/bash # generate-sri.sh FILE_URL="$1" HASH=$(curl -s "$FILE_URL" | openssl dgst -sha384 -binary | openssl base64 -A) echo "sha3

Automate SRI hash generation in your CI/CD pipeline using build tools, webpack plugins, and shell scripts. Never manually compute or copy-paste integrity hashes again.

Best Practices

Detailed Explanation

Automating SRI Hash Generation

Manual SRI hash generation is error-prone and does not scale. As your application grows and dependencies are updated, automating hash generation in your build pipeline ensures that integrity attributes are always correct and up to date.

Command-Line Generation

The simplest automation approach uses standard Unix tools:

#!/bin/bash
# generate-sri.sh
FILE_URL="$1"
HASH=$(curl -s "$FILE_URL" | openssl dgst -sha384 -binary | openssl base64 -A)
echo "sha384-$HASH"

Webpack Plugin: webpack-subresource-integrity

For Webpack-based projects, the webpack-subresource-integrity plugin automatically computes and injects SRI hashes into all generated <script> and <link> tags:

// webpack.config.js
const { SubresourceIntegrityPlugin } = require('webpack-subresource-integrity');

module.exports = {
  output: { crossOriginLoading: 'anonymous' },
  plugins: [
    new SubresourceIntegrityPlugin({
      hashFuncNames: ['sha384'],
      enabled: process.env.NODE_ENV === 'production'
    })
  ]
};

Vite Configuration

Vite does not have a built-in SRI plugin, but you can use vite-plugin-sri:

// vite.config.js
import sri from 'vite-plugin-sri';
export default {
  plugins: [sri({ algorithm: 'sha384' })]
};

Node.js Script for CDN Dependencies

For external CDN resources, a Node.js script can fetch and hash files:

const crypto = require('crypto');
const https = require('https');

function generateSRI(url) {
  return new Promise((resolve) => {
    https.get(url, (res) => {
      const chunks = [];
      res.on('data', (chunk) => chunks.push(chunk));
      res.on('end', () => {
        const hash = crypto
          .createHash('sha384')
          .update(Buffer.concat(chunks))
          .digest('base64');
        resolve(`sha384-${hash}`);
      });
    });
  });
}

GitHub Actions Integration

# .github/workflows/verify-sri.yml
name: Verify SRI Hashes
on: [push, pull_request]
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: node scripts/verify-sri-hashes.js

Pre-commit Hook

Use a Git pre-commit hook to verify SRI hashes before every commit:

#!/bin/bash
# .git/hooks/pre-commit
if grep -r 'integrity="sha' src/ | grep -v 'sha384-'; then
  echo "WARNING: Non-SHA384 integrity hashes found"
  exit 1
fi

Key Principles

Generate, do not copy-paste — always compute hashes from the actual file content
Version-control hashes — store generated hashes in your repository for auditability
Fail the build on mismatch — if a hash cannot be verified, the build should fail
Regenerate on every dependency update — integrate hash generation into your npm update workflow

Use Case

CI/CD automation for SRI is essential for teams managing more than a handful of external dependencies. Build tools like Webpack and Vite can handle self-hosted assets, while custom scripts handle CDN dependencies. Automated verification in CI prevents deployment of pages with incorrect or missing integrity attributes.

Try It — SRI Hash Generator

Open full tool →