Skip to content

hardening: pin dependencies, Docker images, and CI actions#294

Merged
itsDNNS merged 6 commits intomainfrom
hardening/supply-chain
Mar 26, 2026
Merged

hardening: pin dependencies, Docker images, and CI actions#294
itsDNNS merged 6 commits intomainfrom
hardening/supply-chain

Conversation

@itsDNNS
Copy link
Copy Markdown
Owner

@itsDNNS itsDNNS commented Mar 26, 2026

Summary

Supply chain hardening to prevent dependency confusion and compromised package attacks (ref: recent litellm/Trivy incident).

Changes

  • Docker base image: Pin python:3.12-slim to SHA256 digest instead of mutable tag
  • GitHub Actions: Pin all 7 actions to commit SHAs (with version comments for readability)
  • Python dependencies: Replace loose >= constraints with exact versions + cryptographic hashes via pip-compile
    • New requirements.in contains the human-editable constraints
    • requirements.txt is now the machine-generated lockfile with hashes
    • Both Dockerfile and CI use --require-hashes to enforce hash verification
  • CI hardening:
    • New pip-audit job detects known vulnerabilities on every push/PR
    • Default workflow permissions set to contents: read (principle of least privilege)
  • Dependabot: Configured for pip, GitHub Actions, and Docker updates (weekly schedule)

Updating dependencies

To update dependencies after this change:

pip install pip-tools
pip-compile --generate-hashes --strip-extras --no-header requirements.in

Risk

Low. No application logic changed. Docker builds will fail if a dependency hash doesn't match, which is the intended behavior.

Test plan

  • CI test job passes with --require-hashes
  • CI audit job runs pip-audit successfully
  • Docker image builds correctly with pinned base image
  • Dependabot creates its first batch of PRs after merge

itsDNNS added 6 commits March 26, 2026 05:41
@itsDNNS
hardening: pin dependencies, Docker images, and CI actions
e4684fc 
- Pin Docker base image (python:3.12-slim) to SHA256 digest
- Pin all GitHub Actions to commit SHAs instead of mutable tags
- Replace loose version constraints (>=) with exact versions + hashes
  via pip-compile (requirements.in -> requirements.txt)
- Enable --require-hashes in Dockerfile and CI pip install
- Add pip-audit CI job to detect known vulnerabilities in deps
- Add Dependabot config for pip, GitHub Actions, and Docker updates
- Set default workflow permissions to read-only (contents: read)
@itsDNNS
hardening: hash-verify pytest and pin pip-audit action
84b6eba 
- Add requirements-test.txt with hash-pinned pytest + app deps
- CI test job now installs all deps via --require-hashes (no unhashed pip install)
- Replace manual pip-audit install with pypa/gh-action-pip-audit pinned to SHA
@itsDNNS
hardening: audit test dependencies alongside app dependencies
ce4d937
@itsDNNS
hardening: ignore CVE-2026-4539 in pip-audit (pygments, no fix availa…
cb5f018 
…ble)

pygments 2.19.2 has a local-access-only ReDoS in the ADL lexer.
No fix released yet, and it only affects test dependencies (via pytest).
@itsDNNS
hardening: scope pip-audit to production deps only
9c5b021 
Audit only requirements.txt (packages that ship in the Docker image).
Test deps in requirements-test.txt are hash-pinned but do not ship to
users and are not in scope for production vulnerability auditing.
@itsDNNS
hardening: add pip-compile headers for Dependabot compatibility
9526c05 
Regenerate lockfiles with standard pip-compile header so Dependabot
detects the pip-compile workflow and re-runs pip-compile instead of
editing the lockfiles directly (which would strip hashes).
@itsDNNS itsDNNS merged commit 7323275 into main Mar 26, 2026
3 checks passed
@itsDNNS itsDNNS deleted the hardening/supply-chain branch March 26, 2026 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@itsDNNS