Description

I would like to also suggest a security practice recommended by the OpenSSF Scorecard which is to hash pin dependencies to prevent dependency-confusion, typosquatting and tag renaming attacks.

The change would only be applied to GitHub workflows, dockerfiles and shell scripts dependencies.

This means:

• Hash pinning GitHub Workflow actions.

actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0

• Using --require-hashes on pip installs.

python -m pip install -r requirements.txt --require-hashes

Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.

Let me know if you are open to evaluate those changes and I'll submit the PR ASAP.

Any questions or concerns just let me know.
Thanks!

Additional Context

A tag renaming attack is a type of attack whereby an attacker:

• Hijack an action.
• Upload a malicious version.
• Replace existing tags with malicious versions.

A dependency-confusion attack occurs when an attacker:

• Find the name of a package that the victims wants to install
• Create an identically named package and publish it under the public or default registry.
• Assign the package with a higher version number to trick the package manager tool to download it from the public repo.

A typosquatting attack is a type of attack whereby an attacker:

• Create a malicious package
• Publish it with a similar name of a known package (example: numpi instead of numpy)

For more informations about the dependency-update tools:

• Dependabot
• Renovatebot