Parent tracking issue
Control
Dependency/base image pinning and verification.
Why
Mitigates supply-chain tampering and dependency confusion risks in CI/build (TM-12, TM-13, TM-14; priority P1).
Scope
- Lockfiles: Ensure dependency lockfile(s) are committed and CI builds use locked/frozen installs
- Base images: N/A for this repository unless Dockerfiles are introduced later
- Toolchain pinning: Pin language toolchain versions (rust-toolchain.toml, .nvmrc, .python-version, go.mod go version, etc.)
- Integrity verification: Enable dependency verification where supported (cargo
--locked, npm ci, go mod verify, pip hash-checking mode)
- Curl/install scripts: Replace any
curl | sh patterns with verified downloads or pinned tool versions
- Run CI and check for compatibility breaks after changes
Deliverables
- PR(s) that implement pinning and verification for this repository
- Evidence of lockfile usage and dependency verification in PR description
- Notes about any compatibility changes/fixes made
Definition of done
- All lockfiles are committed and CI uses locked/frozen installs
- Base image pinning is documented as N/A unless Dockerfiles exist
- Toolchain versions are pinned
- No unverified
curl | sh install patterns remain
- Links to PR(s) are posted back to parent issue reductstore/security#34
Parent tracking issue
Control
Dependency/base image pinning and verification.
Why
Mitigates supply-chain tampering and dependency confusion risks in CI/build (TM-12, TM-13, TM-14; priority P1).
Scope
--locked, npm ci, go mod verify, pip hash-checking mode)curl | shpatterns with verified downloads or pinned tool versionsDeliverables
Definition of done
curl | shinstall patterns remain