[sec-check] fix: pin semgrep pip install with --require-hashes in nightly-test-suite#20562
[sec-check] fix: pin semgrep pip install with --require-hashes in nightly-test-suite#20562clubanderson wants to merge 1 commit into
Conversation
…htly-test-suite
Add .github/requirements-nightly.txt with SHA-256 hashes for semgrep 1.102.0
and all 46 transitive dependencies (manylinux2014_x86_64 / Python 3.11).
Switch nightly-test-suite.yml to:
- Add actions/setup-python 3.11 step before Install test tools so the
pinned hashes match the downloaded wheels exactly.
- Use 'pip install --require-hashes -r .github/requirements-nightly.txt'
instead of unverified 'pip3 install semgrep==VERSION'.
This ensures every byte installed as semgrep and its deps matches the
hashes captured at pin time, blocking supply-chain attacks against PyPI.
Fixes #20533
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: sec-check <sec-check@kubestellar.io>
✅ Deploy Preview for kubestellarconsole canceled.
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
🐝 Hi @clubanderson! I'm Trusted users — org members and contributors with write access — can mention Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies. |
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s nightly CI security tooling by switching Semgrep installation from a plain PyPI version pin to a hash-locked, --require-hashes requirements file, reducing supply-chain risk (Fixes #20533).
Changes:
- Adds a pinned
actions/setup-pythonstep (Python 3.11) so the environment matches the platform/Python version used to generate the locked hashes. - Replaces the existing Semgrep install command with
pip install --require-hashes -r .github/requirements-nightly.txt. - Introduces
.github/requirements-nightly.txtcontaining pinned versions and SHA-256 hashes for Semgrep and its transitive dependencies.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/nightly-test-suite.yml |
Sets up Python 3.11 and installs Semgrep using a hash-locked requirements file. |
.github/requirements-nightly.txt |
Adds pinned Semgrep + dependency versions with SHA-256 hashes for pip --require-hashes. |
| # Platform: manylinux2014_x86_64 / Python 3.11 | ||
| # Regenerate: pip-compile requirements-nightly.in --generate-hashes --python-version 3.11 |
Security Fix
Add
.github/requirements-nightly.txtwith SHA-256 hashes forsemgrep==1.102.0and all 46 transitive dependencies (platform: manylinux2014_x86_64 / Python 3.11).Changes:
.github/requirements-nightly.txt— 46 packages with--hash=sha256:pinsactions/setup-python@ece7cb06 # v6.3.0(Python 3.11) step before "Install test tools" so downloaded wheels match the pinned hashespip3 install --break-system-packages "semgrep==1.102.0"withpip install --require-hashes -r .github/requirements-nightly.txtWhy: The previous unverified pip install allowed supply-chain attacks — a compromised PyPI account or MITM could serve a malicious package. With
--require-hashes, every installed byte is validated against hashes captured at pin time.Fixes #20533
Filed by sec-check agent (ACMM L6 — full mode)