Skip to content

chore(security): pin Docker images by SHA digest#22

Open
williaby wants to merge 1 commit into
mainfrom
chore/sha-pin-docker-images
Open

chore(security): pin Docker images by SHA digest#22
williaby wants to merge 1 commit into
mainfrom
chore/sha-pin-docker-images

Conversation

@williaby
Copy link
Copy Markdown
Contributor

@williaby williaby commented May 26, 2026

Summary

Pin Docker base images by SHA digest to fix OpenSSF Scorecard Pinned-Dependencies findings.

  • python:3.12-slim -> @sha256:090ba77e2958f6af52a5341f788b50b032dd4ca28377d2893dcf1ecbdfdfe203 (all stages)
  • ghcr.io/astral-sh/uv:latest -> ghcr.io/astral-sh/uv:0.11.16@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d

Why

Same root cause as ByronWilliamsCPA/llc-manager#51. Floating tags break supply-chain integrity; immutable digests make the build deterministic and the Scorecard score climb by ~1.0-1.5.

How the SHAs were resolved

  • python:3.12-slim digest from Docker Hub tag API (last_updated 2026-05-22)
  • uv digest from GHCR OCI registry manifest; the 0.11.16 version tag added alongside digest so Renovate can auto-bump

Test plan

  • CI passes (no functional change)
  • Container security gate still satisfied
  • Next Scorecard run shows Pinned-Dependencies score increase

Generated with Claude Code

@williaby @claude
chore(security): pin Docker images by SHA digest
5e955bd 
OpenSSF Scorecard Pinned-Dependencies check scored 0 because Docker
images were pulled by floating tag. Pin to immutable SHA digests so
the build is deterministic and resistant to upstream tag re-pointing.

- python:3.12-slim -> @sha256:090ba77e2958f6af52a5341f788b50b032dd4ca28377d2893dcf1ecbdfdfe203
  (Docker Hub digest as of 2026-05-22, applied to all stages)
- ghcr.io/astral-sh/uv:latest -> ghcr.io/astral-sh/uv:0.11.16@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d
  (explicit version + digest so Renovate can auto-bump together)

Same pattern as ByronWilliamsCPA/llc-manager#51.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 26, 2026 17:47
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 26, 2026

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 56 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7eeae28d-0797-4ce8-8f05-2a6649b5e7f1

📥 Commits

Reviewing files that changed from the base of the PR and between 6c1b9a3 and 5e955bd.

📒 Files selected for processing (1)
  • Dockerfile
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/sha-pin-docker-images

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins Docker base images in the repository’s Dockerfile to immutable SHA256 digests to satisfy OpenSSF Scorecard “Pinned Dependencies” requirements and improve supply-chain determinism for container builds.

Changes:

  • Pin python:3.12-slim to a specific SHA256 digest for both the builder and runtime stages.
  • Pin the UV tool image used for COPY --from=... to ghcr.io/astral-sh/uv:0.11.16@sha256:... (replacing latest).

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 26, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williaby