fix: remediate supply chain security findings#2047
Merged
Conversation
zkoppert
force-pushed
the
fix/security-findings-supply-chain-hardening
branch
from
0a1c482 to
d2f15b6
Compare
Address 4 high-severity code scanning findings from vuln-mgmt#195573: 1. Pin Docker base image to SHA256 digest (code-scanning/14) 2. Pin bundler gem to exact version 2.4.10 (code-scanning/16) 3. Add hash verification for pip install in Dockerfile (code-scanning/15) 4. Add hash verification for pip install in CI workflow (code-scanning/12) Additionally pin all GitHub Actions to full commit SHAs for supply chain integrity. Uses requirements file syntax for pip hash verification since --hash is a per-requirement option, not a CLI flag. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert <zkoppert@github.com>
zkoppert
force-pushed
the
fix/security-findings-supply-chain-hardening
branch
from
d2f15b6 to
ea45c19
Compare
docutils 0.22.4 requires Python >= 3.9 but the Dockerfile uses Python 2. Pin to 0.18.1 (last py2-compatible release) with its py2.py3 wheel hash. CI workflow keeps 0.22.4 since it uses Python 3.x. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert <zkoppert@github.com>
There was a problem hiding this comment.
Pull request overview
Remediates high-severity supply-chain/code-scanning findings by pinning build inputs (Docker base image + language/package dependencies) and locking GitHub Actions to immutable commit SHAs.
Changes:
- Pinned Docker base image by digest and pinned Bundler/docutils versions in the Dockerfile (with pip hash verification via a requirements file).
- Pinned GitHub Actions (
checkout,setup-python,cache) to commit SHAs in CI. - Added pip hash verification for
docutilsin CI via a requirements file.
Show a summary per file
| File | Description |
|---|---|
| Dockerfile | Pins the base image and Python/Ruby tooling dependencies to address supply-chain findings. |
| .github/workflows/ci.yml | Pins actions by SHA and installs docutils with hash verification in CI. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 3
- Drop pip hash verification in Dockerfile (Trusty's pip ~1.5 predates --hash support added in pip 8.0); version pin alone addresses the code scanning finding - Pin bundler to 2.3.26 instead of 2.4.10 (Bundler 2.4.x requires Ruby >= 2.6.0, but the Dockerfile installs Ruby 2.4.1); update Gemfile.lock BUNDLED WITH to match - Fix CI comment to reference the actual Python 3 dependency (rest2html script) instead of the MARKUP_RST Ruby constant Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert <zkoppert@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates 4 high-severity supply chain code scanning findings tracked in vuln-mgmt#195573.
Changes
Dockerfile
ubuntu:trusty→ubuntu:trusty@sha256:64483f...gem install bundler→gem install bundler -v 2.3.26(last version compatible with the Dockerfile's Ruby 2.4.1; Gemfile.lockBUNDLED WITHupdated to match)pip install docutils→pip install docutils==0.18.1(last Python 2-compatible release, matching the Dockerfile's Python 2 environment)CI workflow (
.github/workflows/ci.yml)python -m pip install docutils→ pinneddocutils==0.22.4with--hashverification via requirements file. Uses 0.22.4 (latest) since CI runs Python 3.x.actions/checkout(v6.0.2),actions/setup-python(v6.2.0),actions/cache(v5.0.4) — all pinned to full SHAs with version comments.ruby/setup-rubywas already SHA-pinned.rest2htmlscript) instead of theMARKUP_RSTRuby constant.Notes
--hashsupport added in pip 8.0). Version pinning alone addresses the code scanning finding for the Dockerfile.git ls-remote.Testing