Skip to content

fix: remediate supply chain security findings#2047

Merged
zkoppert merged 3 commits into
masterfrom
fix/security-findings-supply-chain-hardening
Apr 22, 2026
Merged

fix: remediate supply chain security findings#2047
zkoppert merged 3 commits into
masterfrom
fix/security-findings-supply-chain-hardening

Conversation

@zkoppert

@zkoppert zkoppert commented Apr 22, 2026

Copy link
Copy Markdown
Member

Summary

Remediates 4 high-severity supply chain code scanning findings tracked in vuln-mgmt#195573.

Changes

Dockerfile

  • Pin Docker base image to SHA256 digest (code-scanning/14): ubuntu:trustyubuntu:trusty@sha256:64483f...
  • Pin bundler to exact version (code-scanning/16): gem install bundlergem install bundler -v 2.3.26 (last version compatible with the Dockerfile's Ruby 2.4.1; Gemfile.lock BUNDLED WITH updated to match)
  • Pin docutils version (code-scanning/15): pip install docutilspip install docutils==0.18.1 (last Python 2-compatible release, matching the Dockerfile's Python 2 environment)

CI workflow (.github/workflows/ci.yml)

  • Add pip hash verification (code-scanning/12): python -m pip install docutils → pinned docutils==0.22.4 with --hash verification via requirements file. Uses 0.22.4 (latest) since CI runs Python 3.x.
  • Pin GitHub Actions to commit SHAs: actions/checkout (v6.0.2), actions/setup-python (v6.2.0), actions/cache (v5.0.4) — all pinned to full SHAs with version comments. ruby/setup-ruby was already SHA-pinned.
  • Fix inline comment: Updated Python version comment to reference the actual dependency (rest2html script) instead of the MARKUP_RST Ruby constant.

Notes

  • Hash verification is used in CI (modern pip) but not in the Dockerfile (Trusty ships pip ~1.5, which predates --hash support added in pip 8.0). Version pinning alone addresses the code scanning finding for the Dockerfile.
  • The Dockerfile is legacy (Ubuntu Trusty / Python 2 / Ruby 2.4.1) and is likely not actively built. Changes are safe — they pin existing dependencies without changing behavior.
  • All action SHAs verified against upstream tags via git ls-remote.

Testing

  • CI passes across the full Ruby 3.2 / 3.3 / 3.4 test matrix (all 6 test jobs pass)
  • CodeQL analysis passes for actions, python, and ruby
  • submit-pypi check passes
  • Multi-model code review (Opus, Sonnet, Haiku) conducted; Copilot PR reviewer feedback addressed in follow-up commit
@zkoppert zkoppert self-assigned this Apr 22, 2026
@zkoppert zkoppert force-pushed the fix/security-findings-supply-chain-hardening branch from 0a1c482 to d2f15b6 Compare April 22, 2026 02:19
Address 4 high-severity code scanning findings from vuln-mgmt#195573:

1. Pin Docker base image to SHA256 digest (code-scanning/14)
2. Pin bundler gem to exact version 2.4.10 (code-scanning/16)
3. Add hash verification for pip install in Dockerfile (code-scanning/15)
4. Add hash verification for pip install in CI workflow (code-scanning/12)

Additionally pin all GitHub Actions to full commit SHAs for
supply chain integrity.

Uses requirements file syntax for pip hash verification since
--hash is a per-requirement option, not a CLI flag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
@zkoppert zkoppert force-pushed the fix/security-findings-supply-chain-hardening branch from d2f15b6 to ea45c19 Compare April 22, 2026 02:23
docutils 0.22.4 requires Python >= 3.9 but the Dockerfile uses Python 2.
Pin to 0.18.1 (last py2-compatible release) with its py2.py3 wheel hash.
CI workflow keeps 0.22.4 since it uses Python 3.x.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
@zkoppert zkoppert marked this pull request as ready for review April 22, 2026 02:35
Copilot AI review requested due to automatic review settings April 22, 2026 02:35

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Remediates high-severity supply-chain/code-scanning findings by pinning build inputs (Docker base image + language/package dependencies) and locking GitHub Actions to immutable commit SHAs.

Changes:

  • Pinned Docker base image by digest and pinned Bundler/docutils versions in the Dockerfile (with pip hash verification via a requirements file).
  • Pinned GitHub Actions (checkout, setup-python, cache) to commit SHAs in CI.
  • Added pip hash verification for docutils in CI via a requirements file.
Show a summary per file
File Description
Dockerfile Pins the base image and Python/Ruby tooling dependencies to address supply-chain findings.
.github/workflows/ci.yml Pins actions by SHA and installs docutils with hash verification in CI.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 3
Comment thread Dockerfile Outdated
Comment thread Dockerfile Outdated
Comment thread .github/workflows/ci.yml Outdated
- Drop pip hash verification in Dockerfile (Trusty's pip ~1.5 predates
  --hash support added in pip 8.0); version pin alone addresses the
  code scanning finding
- Pin bundler to 2.3.26 instead of 2.4.10 (Bundler 2.4.x requires
  Ruby >= 2.6.0, but the Dockerfile installs Ruby 2.4.1); update
  Gemfile.lock BUNDLED WITH to match
- Fix CI comment to reference the actual Python 3 dependency
  (rest2html script) instead of the MARKUP_RST Ruby constant

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
@zkoppert zkoppert merged commit 8e1bf5f into master Apr 22, 2026
10 checks passed
@zkoppert zkoppert deleted the fix/security-findings-supply-chain-hardening branch April 22, 2026 04:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants