Skip to content

security(monitors): hash-pin requirements.txt (--require-hashes lock)#75

Closed
pmoses-s1 wants to merge 1 commit into
Sentinel-One:mainfrom
pmoses-s1:fix/monitor-requirements-hashes
Closed

security(monitors): hash-pin requirements.txt (--require-hashes lock)#75
pmoses-s1 wants to merge 1 commit into
Sentinel-One:mainfrom
pmoses-s1:fix/monitor-requirements-hashes

Conversation

@pmoses-s1

Copy link
Copy Markdown
Contributor

Complete the monitor supply-chain hardening: replace the version-only
monitors/requirements.txt with a fully hash-locked resolution.

Changes

  • monitors/requirements.txt — direct + transitive deps (24 packages) pinned with --hash (SHA-256), --require-hashes compatible.
  • monitors/requirements.in — regeneration source (pip-compile --generate-hashes).
  • README.md — note the lock is hash-pinned and how to regenerate.

Verification
pip install --require-hashes --dry-run -r monitors/requirements.txt resolves and verifies all 24 packages (exit 0).

Completes the finding-3 hardening. Replace version-only pins with a fully
hash-locked resolution (direct + transitive, 24 packages) generated from
requirements.in via pip-compile --generate-hashes, and add requirements.in as
the regeneration source. Verified installable under pip install --require-hashes
(dry-run, all 24 packages). README updated to reflect the hash-locked file.
@pmoses-s1

Copy link
Copy Markdown
Contributor Author

Superseded — folded the hash-pinned requirements.txt (plus .pyc cleanup) into PR #74.

@pmoses-s1 pmoses-s1 closed this Jul 8, 2026
@pmoses-s1 pmoses-s1 deleted the fix/monitor-requirements-hashes branch July 8, 2026 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant