Skip to content

fix: harden pip install against supply chain attacks#490

Merged
jmeridth merged 1 commit intomainfrom
fix/pip-install-supply-chain-hardening
Mar 5, 2026
Merged

fix: harden pip install against supply chain attacks#490
jmeridth merged 1 commit intomainfrom
fix/pip-install-supply-chain-hardening

Conversation

@zkoppert
Copy link
Collaborator

@zkoppert zkoppert commented Mar 5, 2026

Summary

Hardens the Docker build against supply chain attacks by preventing pip from resolving dependencies at install time.

Addresses the same class of vulnerability as issue-metrics code scanning alert #94pip install without hash verification.

Changes

requirements.txt

  • Expanded via pip-compile to pin all transitive dependencies to exact versions
  • Ensures no implicit dependency resolution happens at install time

Dockerfile

  • Added --no-deps to pip install, preventing pip from resolving any packages beyond the explicit list

Why this approach

The Opengrep rule recommends two mitigations:

  1. pip install --require-hashes with hashed requirements
  2. pip install --no-deps when using a pip-compile workflow

We chose option 2 because --require-hashes generates platform-specific hashes that break Dependabot automated dependency update PRs. The --no-deps approach with fully-resolved transitive dependencies provides equivalent security — no unvetted code can be introduced at install time.

Testing

  • Verified clean install with --no-deps in a fresh venv — all imports succeed

@zkoppert
fix: harden pip install against supply chain attacks
ad899c2 
- Expand requirements.txt via pip-compile to pin all transitive dependencies
- Add --no-deps to Dockerfile pip install to prevent runtime dep resolution

Resolves pip-install-no-hash-check security alert.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert zkoppert marked this pull request as ready for review March 5, 2026 17:24
@zkoppert zkoppert requested a review from jmeridth as a code owner March 5, 2026 17:24
Copilot AI review requested due to automatic review settings March 5, 2026 17:24
@zkoppert zkoppert marked this pull request as draft March 5, 2026 17:24
@github-actions github-actions bot added the fix label Mar 5, 2026
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@zkoppert zkoppert force-pushed the fix/pip-install-supply-chain-hardening branch from d886b13 to ad899c2 Compare March 5, 2026 17:41
@zkoppert zkoppert self-assigned this Mar 5, 2026
@zkoppert zkoppert marked this pull request as ready for review March 5, 2026 21:32
@jmeridth jmeridth merged commit 4e96aff into main Mar 5, 2026
39 of 40 checks passed
@jmeridth jmeridth deleted the fix/pip-install-supply-chain-hardening branch March 5, 2026 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jmeridth jmeridth jmeridth approved these changes

Assignees

@zkoppert zkoppert

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zkoppert @jmeridth