fix(ci): Fix alpine auto-detection in install-snyk.py

[PeterSchafer]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

This PR fixes the alpine auto-detection in install-snyk.py, which would fail in case you install musl tools on a debian.

Where should the reviewer start?

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Brittle Alpine Detection 🟠 [major] The implementation of is_alpine() uses a simple substring check "id=alpine" in content. This is fragile because the /etc/os-release specification allows values to be enclosed in double quotes (e.g., ID="alpine"). If quotes are used, the substring match will fail, leading the script to download the glibc-linked snyk-linux binary on an Alpine system. This binary will not execute on Alpine, breaking the installer for those users. Consider using a more robust check that handles optional quotes and ensures it is matching the ID key specifically. return "id=alpine" in content

📚 Repository Context Analyzed This review considered 7 relevant code sections from 6 files (average relevance: 0.80) scripts/download_go.py (lines 1-151) CONTRIBUTING.md (2 segments, lines 1-218) binary-deployments.json (lines 1-18) dangerfile.js (lines 1-111) release-scripts/validate-npm-artifacts.sh (lines 1-16) scripts/install-snyk.py (lines 1-223)

[robertolopezlopez]

Yes of course, it would be more resilient. But does the formatting of this file ever change?

…

On Tue, May 12, 2026 at 10:15 AM snyk-pr-review-bot[bot] < ***@***.***> wrote: *snyk-pr-review-bot[bot]* left a comment (snyk/cli#6793) <#6793 (comment)> PR Reviewer Guide 🔍 🧪 *No relevant tests* 🔒 *No security concerns identified* ⚡ *Recommended focus areas for review* *Brittle Alpine Detection* <https://github.com/snyk/cli/pull/6793/changes#diff-e54e60f86d717e79a415a29512bd0b3d894357ff9a0321f294000bb7fcd4f682R148-R148> 🟠 *[major]* The implementation of is_alpine() uses a simple substring check "id=alpine" in content. This is fragile because the /etc/os-release specification allows values to be enclosed in double quotes (e.g., ID="alpine"). If quotes are used, the substring match will fail, leading the script to download the glibc-linked snyk-linux binary on an Alpine system. This binary will not execute on Alpine, breaking the installer for those users. Consider using a more robust check that handles optional quotes and ensures it is matching the ID key specifically. return "id=alpine" in content 📚 *Repository Context Analyzed* *This review considered 7 relevant code sections from 6 files (average relevance: 0.80)* - scripts/download_go.py <https://github.com/snyk/cli/blob/1c27f45e0c783433cfd1a5e06d6c143f1a2a0354/scripts/download_go.py/#L1-L151> (lines 1-151) - CONTRIBUTING.md <https://github.com/snyk/cli/blob/1c27f45e0c783433cfd1a5e06d6c143f1a2a0354/CONTRIBUTING.md/#L1-L218> (2 segments, lines 1-218) - binary-deployments.json <https://github.com/snyk/cli/blob/1c27f45e0c783433cfd1a5e06d6c143f1a2a0354/binary-deployments.json/#L1-L18> (lines 1-18) - dangerfile.js <https://github.com/snyk/cli/blob/1c27f45e0c783433cfd1a5e06d6c143f1a2a0354/dangerfile.js/#L1-L111> (lines 1-111) - release-scripts/validate-npm-artifacts.sh <https://github.com/snyk/cli/blob/1c27f45e0c783433cfd1a5e06d6c143f1a2a0354/release-scripts/validate-npm-artifacts.sh/#L1-L16> (lines 1-16) - scripts/install-snyk.py <https://github.com/snyk/cli/blob/1c27f45e0c783433cfd1a5e06d6c143f1a2a0354/scripts/install-snyk.py/#L1-L223> (lines 1-223) — Reply to this email directly, view it on GitHub <#6793 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALS625LJVRAA276GIM6RTT42LMT5AVCNFSM6AAAAACYZJ74F6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DIMRYGYYDAMZWGI> . You are receiving this because your review was requested.Message ID: ***@***.***>