Skip to content

Pin Missing Dependencies #834

Closed
#870
Closed
Pin Missing Dependencies#834
#870
Assignees
DhineshPonnarasan
Labels
SecurityAffects security of the project.dependencies
@camilamaia

Description

@camilamaia
camilamaia
opened on Oct 16, 2025

Description

The OpenSSF Scorecard identified several un-pinned dependencies in the ScanAPI repository.
To improve our supply chain security, we should pin all external dependencies (GitHub Actions, Docker images, and pip commands) to specific commit hashes (SHA).

This ensures reproducible builds and protects against potential supply chain attacks caused by upstream changes.

📊 Scorecard Findings

Image
Raw Output 
Reason
dependency not pinned by hash detected -- score normalized to 3

Details
Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-to-production.yml:23
→ update using https://app.stepsecurity.io/secureworkflow/scanapi/scanapi/publish-to-production.yml/main?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-to-test-pypi.yml:24
→ update using https://app.stepsecurity.io/secureworkflow/scanapi/scanapi/publish-to-test-pypi.yml/main?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/pytest-and-codecov.yml:31
→ update using https://app.stepsecurity.io/secureworkflow/scanapi/scanapi/pytest-and-codecov.yml/main?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/validate-pr-title-v1.yml:16
→ update using https://app.stepsecurity.io/secureworkflow/scanapi/scanapi/validate-pr-title-v1.yml/main?enable=pin

Warn: containerImage not pinned by hash: Dockerfile:1
→ update python:3.10.4-bullseye to python:3.10.4-bullseye@sha256:86862fd2ad17902cc3a95b7effd257dfd043151f05d280170bdd6ff34f7bc78b

Warn: pipCommand not pinned by hash: Dockerfile:7  
Warn: pipCommand not pinned by hash: Dockerfile:9

Info: 10/10 GitHub-owned GitHubAction dependencies pinned  
Info: 2/6 third-party GitHubAction dependencies pinned  
Info: 0/1 containerImage dependencies pinned  
Info: 0/2 pipCommand dependencies pinned

✅ Tasks

  • Pin all third-party GitHub Actions to specific commit SHAs.
  • Pin Docker base image to a SHA digest.
  • Pin pip commands within the Dockerfile.
  • Verify fixes using the StepSecurity Secure Workflow tool.
  • Re-run the OpenSSF Scorecard check to confirm improvement.

🔗 References

Metadata

Metadata

Assignees

Labels

SecurityAffects security of the project.dependencies

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions