chore(security): pin Docker images by SHA digest#41
Merged
Conversation
OpenSSF Scorecard Pinned-Dependencies check scored 0 because Docker images were pulled by floating tag. Pin to immutable SHA digests so the build is deterministic and resistant to upstream tag re-pointing. - python:3.12-slim -> @sha256:090ba77e2958f6af52a5341f788b50b032dd4ca28377d2893dcf1ecbdfdfe203 (Docker Hub digest as of 2026-05-22, applied to all stages) - ghcr.io/astral-sh/uv:latest -> ghcr.io/astral-sh/uv:0.11.16@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d (explicit version + digest so Renovate can auto-bump together) Same pattern as ByronWilliamsCPA/llc-manager#51. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe Dockerfile is updated to pin Python base images ( ChangesContainer Image Pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Pull request overview
Pins Docker base images by immutable SHA256 digests to satisfy OpenSSF Scorecard “Pinned-Dependencies” guidance and improve supply-chain determinism for the project’s container build.
Changes:
- Pin
python:3.12-slimin both builder and runtime stages using a SHA256 digest. - Pin the
ghcr.io/astral-sh/uvimage used forCOPY --fromto a specific version + digest.
| # Stage 1: Builder - Install dependencies | ||
| # ============================================================================= | ||
| FROM python:3.12-slim AS builder | ||
| FROM python:3.12-slim@sha256:090ba77e2958f6af52a5341f788b50b032dd4ca28377d2893dcf1ecbdfdfe203 AS builder |
| # Stage 2: Runtime - Production image with audio processing capabilities | ||
| # ============================================================================= | ||
| FROM python:3.12-slim AS runtime | ||
| FROM python:3.12-slim@sha256:090ba77e2958f6af52a5341f788b50b032dd4ca28377d2893dcf1ecbdfdfe203 AS runtime |
|
|
||
| # Install UV for fast dependency management | ||
| COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv | ||
| COPY --from=ghcr.io/astral-sh/uv:0.11.16@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d /uv /usr/local/bin/uv |
2 tasks
williaby
added a commit
that referenced
this pull request
May 28, 2026
…2026-139 (torch) (#44) * fix(security): resolve PYSEC-2026-161 (starlette) and suppress PYSEC-2026-139 (torch) Unblocks CI on PRs #39, #40, and #41. Both pip-audit and osv-scanner were flagging the same two CVEs, cascading into Code Quality, OSV Scanner, Security Gate, and CI Gate failures on every open PR. - Bump fastapi>=0.133.0 in [audio] extras and regenerate uv.lock; fastapi 0.136.3 + starlette 1.1.0 resolve PYSEC-2026-161. - Add PYSEC-2026-139 (torch/CVE-2026-4538) to osv-scanner.toml and [tool.pip-audit] ignore-vuln; no upstream fix exists. Torch is an optional [ml] extra absent from the production container. - Document PYSEC-2026-139 in docs/known-vulnerabilities.md per project CVE policy; reassess-by 2026-07-26. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: correct torch CVE suppression justification and compensating controls The PYSEC-2026-139 / CVE-2026-4538 suppression in three files contained two false claims: 1. "torch is never imported by the deployed service" - vad.py:16 has an unconditional top-level `import torch`, refuting the grep verification. 2. "not installed in the production container (which installs only the audio extra)" - the Dockerfile runs `uv sync --frozen --no-dev` with no --extra flags; no optional extras are installed at all. The compensating control (torch absent from production) remains valid. Update all three files to state the accurate mechanism: the Dockerfile installs no optional extras, so neither [ml] (direct) nor [audio] (transitive via silero-vad) entries for torch reach the runtime image. Remove the false grep verification claim from compensating controls. Also corrects: - Package field: adds the silero-vad transitive path in [audio] extra - Patched version row: shortened to fit 120-char Markdown line limit - pyproject.toml fastapi comment: "starlette<1.0.0" -> "starlette 0.x"; "starlette 1.x" -> "starlette>=1.1.0" (1.1.0 is the specific fix version) - osv-scanner.toml: replaces -- double-dash with comma (writing rule PC-011) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs(changelog): add PYSEC-2026-161 and CVE-2026-4538 security entries Per CLAUDE.md CVE Citation Policy: any CHANGELOG entry that fixes a security vulnerability must include the CVE ID if one has been assigned. - PYSEC-2026-161 (starlette < 1.1.0): resolved by fastapi>=0.133.0 - CVE-2026-4538 / PYSEC-2026-139 (torch 2.9.1, AV:L HIGH): deferred with reassess-by 2026-07-26; no upstream fix available Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pin Docker base images by SHA digest to fix OpenSSF Scorecard Pinned-Dependencies findings.
python:3.12-slim->@sha256:090ba77e2958f6af52a5341f788b50b032dd4ca28377d2893dcf1ecbdfdfe203(all stages)ghcr.io/astral-sh/uv:latest->ghcr.io/astral-sh/uv:0.11.16@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864dWhy
Same root cause as ByronWilliamsCPA/llc-manager#51. Floating tags break supply-chain integrity; immutable digests make the build deterministic and the Scorecard score climb by ~1.0-1.5.
How the SHAs were resolved
Test plan
Generated with Claude Code
Summary by CodeRabbit