Pin Docker base images and pip packages to specific versions with SHA256 digests

Copilot · imnasnainaec · Copilot · commit 1b7d7159c2e9 · 2025-10-27T20:08:45.000Z
Co-authored-by: imnasnainaec &lt;6411521+imnasnainaec@users.noreply.github.com&gt;
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -35,6 +35,6 @@ jobs:
           python-version: 3.12
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install tox
+          python -m pip install --upgrade pip==25.3
+          pip install tox==4.32.0
       - run: tox -e user-guide-github-pages
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -39,7 +39,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install tox tox-gh-actions
+          python -m pip install --upgrade pip==25.3
+          pip install tox==4.32.0 tox-gh-actions==3.5.0
       - name: Test with tox
         run: tox
diff --git a/Backend/Dockerfile b/Backend/Dockerfile
@@ -7,7 +7,7 @@
 ############################################################
 
 # Docker multi-stage build
-FROM mcr.microsoft.com/dotnet/sdk:8.0.409-jammy AS builder
+FROM mcr.microsoft.com/dotnet/sdk:8.0.409-jammy@sha256:31331d856fd10255a3f0882da8449030e4d7121c555b25fd7f2396fd25c8d84f AS builder
 WORKDIR /app
 
 # Copy csproj and restore (fetch dependencies) as distinct layers.
@@ -19,7 +19,7 @@ COPY . ./
 RUN dotnet publish -c Release -o build
 
 # Build runtime image.
-FROM mcr.microsoft.com/dotnet/aspnet:8.0.16-jammy
+FROM mcr.microsoft.com/dotnet/aspnet:8.0.16-jammy@sha256:2530333efae1b4c682da1b6eb69c23bfb3d9e80d357b1b30bb4a9c15bf054f25
 
 ENV ASPNETCORE_URLS=http://+:5000
 ENV COMBINE_IS_IN_CONTAINER=1
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,7 @@
 ############################################################
 
 # User guide build environment
-FROM python:3.12.10-slim-bookworm AS user_guide_builder
+FROM python:3.12.10-slim-bookworm@sha256:97983fa8cc88343512862c62307159a82261c3528dc025f79e5a3f7af43e50b4 AS user_guide_builder
 
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
@@ -24,7 +24,7 @@ COPY docs/user_guide docs/user_guide
 RUN tox -e user-guide
 
 # Frontend build environment.
-FROM node:22.17.0-bookworm-slim AS frontend_builder
+FROM node:22.17.0-bookworm-slim@sha256:358a55f9683d8444a810bf36ff1ea4f60522f55a82cada25f7eabdf79e445226 AS frontend_builder
 WORKDIR /app
 
 # Install app dependencies.
@@ -36,7 +36,7 @@ COPY . ./
 RUN npm run build
 
 # Production environment.
-FROM nginx:1.28.0
+FROM nginx:1.28.0@sha256:06246bcae987ceb27a9b7274dff88cb3ba44f92cfc0a2f80a15f6c4bf6d5b5a1
 
 WORKDIR /app
 
diff --git a/database/Dockerfile b/database/Dockerfile
@@ -5,7 +5,7 @@
 #   - Intel/AMD 64-bit
 #   - ARM 64-bit
 ############################################################
-FROM mongo:7.0.20-jammy
+FROM mongo:7.0.20-jammy@sha256:365a07aaeb5a54719a162709ca53475b3eeb5e93fe58f69cd6e604bcca26aa6e
 
 WORKDIR /
 
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
@@ -5,7 +5,7 @@
 #   - Intel/AMD 64-bit
 ############################################################
 
-FROM python:3.12.10-slim-bookworm
+FROM python:3.12.10-slim-bookworm@sha256:97983fa8cc88343512862c62307159a82261c3528dc025f79e5a3f7af43e50b4
 
 USER root
 
diff --git a/maintenance/Dockerfile b/maintenance/Dockerfile
@@ -16,6 +16,9 @@
 #   - ARM 64-bit
 ############################################################
 
+# Multi-arch base image pinned to version 0.4.0
+# amd64 digest: sha256:75c13b324e3e139d17294749b6aabf1e52116c98ca6ba03f7401dbabaa2007da
+# arm64 digest: sha256:6f318bee146c0444272a0920903f886e26513bb9d4f1e11327ad9cb368b7f1ae
 FROM public.ecr.aws/thecombine/aws-kubectl:0.4.0-$TARGETARCH
 
 USER root
