Summary
The OSSF Scorecard Pinned-Dependencies check reported 47 warnings and 1 shell parse error across the repository. Unpinned dependencies in CI/CD workflows, container builds, and package installations create supply-chain risk by allowing upstream content to change without review.
Scope of Remediation
- GitHub Actions — pin all
uses: references to full commit SHAs (with version comments)
- Python — adopt hashed lockfiles (
pip install --require-hashes) for reproducible installs
- Docker — pin all base images to
sha256: digests
- npm — switch CI installs to
npm ci against package-lock.json
- NuGet — enable locked-mode restore (
packages.lock.json + --locked-mode)
- Shell — fix the shell parse error blocking Scorecard analysis
Tracking
- Implementation plan:
.copilot-tracking/plans/2026-04-17/ossf-pinned-dependencies-plan.instructions.md
- Changes log:
.copilot-tracking/changes/2026-04-17/ossf-pinned-dependencies-changes.md
- Review:
.copilot-tracking/reviews/2026-04-17/ossf-pinned-dependencies-review.md (0 Critical / 0 Major / 3 Minor / 4 Info)
- Plan deviations: PD-01..PD-05 documented in the planning log
Pull Request
Addressed by PR #402.
Summary
The OSSF Scorecard
Pinned-Dependenciescheck reported 47 warnings and 1 shell parse error across the repository. Unpinned dependencies in CI/CD workflows, container builds, and package installations create supply-chain risk by allowing upstream content to change without review.Scope of Remediation
uses:references to full commit SHAs (with version comments)pip install --require-hashes) for reproducible installssha256:digestsnpm ciagainstpackage-lock.jsonpackages.lock.json+--locked-mode)Tracking
.copilot-tracking/plans/2026-04-17/ossf-pinned-dependencies-plan.instructions.md.copilot-tracking/changes/2026-04-17/ossf-pinned-dependencies-changes.md.copilot-tracking/reviews/2026-04-17/ossf-pinned-dependencies-review.md(0 Critical / 0 Major / 3 Minor / 4 Info)Pull Request
Addressed by PR #402.