Parent tracking issue
Control
Dependency/base image pinning and verification.
Why
Mitigates supply-chain tampering and dependency confusion risks in CI/build (TM-12, TM-13, TM-14; priority P1).
Scope
- Lockfiles: Ensure dependency lockfile(s) are committed and CI builds use locked/frozen installs
- Base images: Pin all
FROM images by digest (image@sha256:...)
- Toolchain pinning: Pin language toolchain versions (rust-toolchain.toml, .nvmrc, .python-version, go.mod go version, etc.)
- Integrity verification: Enable dependency verification where supported (cargo
--locked, npm ci, go mod verify, pip hash-checking mode)
- Curl/install scripts: Replace any
curl | sh patterns with verified downloads or pinned tool versions
- Run CI and check for compatibility breaks after changes
Deliverables
- PR(s) that implement pinning and verification for this repository
- Evidence of lockfile usage and digest pinning in PR description
- Notes about any compatibility changes/fixes made
Definition of done
- All lockfiles are committed and CI uses locked/frozen installs
- Docker base images are pinned by digest
- Toolchain versions are pinned
- No unverified
curl | sh install patterns remain
- Links to PR(s) are posted back to parent issue reductstore/security#34
Parent tracking issue
Control
Dependency/base image pinning and verification.
Why
Mitigates supply-chain tampering and dependency confusion risks in CI/build (TM-12, TM-13, TM-14; priority P1).
Scope
FROMimages by digest (image@sha256:...)--locked, npm ci, go mod verify, pip hash-checking mode)curl | shpatterns with verified downloads or pinned tool versionsDeliverables
Definition of done
curl | shinstall patterns remain