fix(security): pin pip dependencies by hash for reproducible builds#40
Merged
Conversation
Address Scorecard PinnedDependenciesID alerts for pipCommand findings: - Generate hash-locked .lock files via pip-compile (pip-tools) - requirements.lock (runtime deps) - requirements-dev.lock (test deps) - requirements-ci.lock (CI tools: ruff, pip-audit, pip-tools) - Update Dockerfile and CI workflow to install with --require-hashes - Add 'make lock-deps' target to regenerate lock files when source requirements files change .txt files remain as the human-edited source of truth; .lock files are generated from them and contain SHA256 hashes for every transitive dependency. This satisfies Scorecard's pip pinning checks and ensures bit-for-bit reproducible builds.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the 6 remaining Scorecard PinnedDependenciesID alerts that flagged unpinned pip install commands.
Changes
pip-compile --generate-hashes:requirements.lock(runtime deps)requirements-dev.lock(test deps)n -requirements-ci.lock` (CI tools: ruff, pip-audit, pip-tools)--require-hashes, which causes pip to refuse any package that doesn't match the recorded SHA256 hashmake lock-depstarget to regenerate locks when source.txtfiles changeWorkflow
.txtfiles: human-edited source of truth (top-level deps with version pins).lockfiles: generated, contain SHA256 hashes for every transitive dependency.txt; runningmake lock-depsregenerates.lock