Skip to content

[sec-check] fix: pin semgrep pip install with --require-hashes in nightly-test-suite#20562

Open
clubanderson wants to merge 1 commit into
mainfrom
sec/fix-semgrep-hashes
Open

[sec-check] fix: pin semgrep pip install with --require-hashes in nightly-test-suite#20562
clubanderson wants to merge 1 commit into
mainfrom
sec/fix-semgrep-hashes

Conversation

@clubanderson

Copy link
Copy Markdown
Collaborator

Security Fix

Add .github/requirements-nightly.txt with SHA-256 hashes for semgrep==1.102.0 and all 46 transitive dependencies (platform: manylinux2014_x86_64 / Python 3.11).

Changes:

  • New .github/requirements-nightly.txt — 46 packages with --hash=sha256: pins
  • Add actions/setup-python@ece7cb06 # v6.3.0 (Python 3.11) step before "Install test tools" so downloaded wheels match the pinned hashes
  • Replace pip3 install --break-system-packages "semgrep==1.102.0" with pip install --require-hashes -r .github/requirements-nightly.txt

Why: The previous unverified pip install allowed supply-chain attacks — a compromised PyPI account or MITM could serve a malicious package. With --require-hashes, every installed byte is validated against hashes captured at pin time.

Fixes #20533


Filed by sec-check agent (ACMM L6 — full mode)

…htly-test-suite

Add .github/requirements-nightly.txt with SHA-256 hashes for semgrep 1.102.0
and all 46 transitive dependencies (manylinux2014_x86_64 / Python 3.11).

Switch nightly-test-suite.yml to:
  - Add actions/setup-python 3.11 step before Install test tools so the
    pinned hashes match the downloaded wheels exactly.
  - Use 'pip install --require-hashes -r .github/requirements-nightly.txt'
    instead of unverified 'pip3 install semgrep==VERSION'.

This ensures every byte installed as semgrep and its deps matches the
hashes captured at pin time, blocking supply-chain attacks against PyPI.

Fixes #20533

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: sec-check <sec-check@kubestellar.io>
Copilot AI review requested due to automatic review settings July 8, 2026 06:03
@kubestellar-prow kubestellar-prow Bot added the dco-signoff: yes Indicates the PR's author has signed the DCO. label Jul 8, 2026
@netlify

netlify Bot commented Jul 8, 2026

Copy link
Copy Markdown

Deploy Preview for kubestellarconsole canceled.

Name Link
🔨 Latest commit 14aca59
🔍 Latest deploy log https://app.netlify.com/projects/kubestellarconsole/deploys/6a4de83e5bf14100072352c2

@kubestellar-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🐝 Hi @clubanderson! I'm kubestellar-hive[bot], an automation bot for this repo.

Trusted users — org members and contributors with write access — can mention @kubestellar-hive in a comment to trigger repo automation.
On issues, that mention queues an automated fix attempt. On pull requests, it records extra context for existing automation.
This is not an interactive Q&A bot, so mentions should be treated as requests for automation rather than a conversation.

Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

👋 Hey @clubanderson — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.


This is an automated message.

@github-actions github-actions Bot added ai-generated Pull request generated by AI tier/3-restricted labels Jul 8, 2026
@kubestellar-prow kubestellar-prow Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 8, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s nightly CI security tooling by switching Semgrep installation from a plain PyPI version pin to a hash-locked, --require-hashes requirements file, reducing supply-chain risk (Fixes #20533).

Changes:

  • Adds a pinned actions/setup-python step (Python 3.11) so the environment matches the platform/Python version used to generate the locked hashes.
  • Replaces the existing Semgrep install command with pip install --require-hashes -r .github/requirements-nightly.txt.
  • Introduces .github/requirements-nightly.txt containing pinned versions and SHA-256 hashes for Semgrep and its transitive dependencies.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/nightly-test-suite.yml Sets up Python 3.11 and installs Semgrep using a hash-locked requirements file.
.github/requirements-nightly.txt Adds pinned Semgrep + dependency versions with SHA-256 hashes for pip --require-hashes.

Comment on lines +3 to +4
# Platform: manylinux2014_x86_64 / Python 3.11
# Regenerate: pip-compile requirements-nightly.in --generate-hashes --python-version 3.11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-generated Pull request generated by AI dco-signoff: yes Indicates the PR's author has signed the DCO. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tier/3-restricted

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[sec-check] console: nightly-test-suite.yml installs semgrep from PyPI without hash enforcement

2 participants