Skip to content

fix: resolve supply chain security code scanning alerts#2048

Merged
zkoppert merged 1 commit into
masterfrom
fix/code-scanning-supply-chain-hardening
Apr 23, 2026
Merged

fix: resolve supply chain security code scanning alerts#2048
zkoppert merged 1 commit into
masterfrom
fix/code-scanning-supply-chain-hardening

Conversation

@zkoppert

@zkoppert zkoppert commented Apr 22, 2026

Copy link
Copy Markdown
Member

Summary

Resolves 4 open code scanning alerts by removing the legacy Dockerfile (which caused 3 of the 4 alerts) and hardening the CI workflow's pip install.

Changes

Testing

  • CI tests pass across Ruby 3.2/3.3/3.4 matrix, confirming the pip install change works correctly.
  • Multi-model code review (Claude Opus, Claude Sonnet, GPT-5.2) validated the approach and identified the Dockerfile deletion as the right path forward.
@zkoppert zkoppert self-assigned this Apr 22, 2026
@zkoppert zkoppert force-pushed the fix/code-scanning-supply-chain-hardening branch from 7200204 to a411cca Compare April 22, 2026 23:05
- Remove legacy Dockerfile (Ubuntu Trusty 14.04, Python 2, Ruby 2.4.1,
  references bintray.com which shut down 2021). It was never used by CI
  and generated recurring scanner alerts and dependabot noise.
- Remove docker ecosystem from dependabot config since Dockerfile no
  longer exists.
- Add --require-hashes --no-deps flags to pip install in CI workflow
  to enforce hash verification explicitly (alert #12).

Resolves code scanning alerts #12, #14, #15, #16.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
@zkoppert zkoppert force-pushed the fix/code-scanning-supply-chain-hardening branch from a411cca to 15d84a1 Compare April 22, 2026 23:49
@zkoppert zkoppert marked this pull request as ready for review April 22, 2026 23:53
Copilot AI review requested due to automatic review settings April 22, 2026 23:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves supply-chain/security code scanning alerts by removing unused legacy Docker configuration and tightening Python dependency installation in CI.

Changes:

  • Deleted the legacy Dockerfile and removed .dockerignore (Docker build context no longer applicable).
  • Removed the Docker ecosystem entry from Dependabot configuration.
  • Hardened CI Python installs by enforcing hash-checking and disabling dependency resolution for the pinned docutils install.
Show a summary per file
File Description
Dockerfile Removed unused legacy Docker build definition that triggered multiple security alerts.
.github/workflows/ci.yml Updated pip install command to use --require-hashes --no-deps for the pinned docutils requirement.
.github/dependabot.yaml Dropped Docker ecosystem updates since there is no Dockerfile to monitor.
.dockerignore Removed since Docker-related files were removed and it no longer serves a purpose.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 0
@zkoppert zkoppert merged commit e61b7f8 into master Apr 23, 2026
14 checks passed
@zkoppert zkoppert deleted the fix/code-scanning-supply-chain-hardening branch April 23, 2026 00:10
@zkoppert zkoppert mentioned this pull request Apr 23, 2026
2 tasks
zkoppert added a commit that referenced this pull request Apr 23, 2026
- Correct github-linguist version: 9.1.0 -> 9.3.0
- Note Ruby 3.2 removal from CI matrix alongside 4.0 addition
- Add PR link for pip install hardening (#2048)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
zkoppert added a commit that referenced this pull request May 5, 2026
- Correct github-linguist version: 9.1.0 -> 9.3.0
- Note Ruby 3.2 removal from CI matrix alongside 4.0 addition
- Add PR link for pip install hardening (#2048)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants