Affected Component
OSSF Scorecard Pinned-Dependencies check (currently normalized to 8/10).
Context
After PRs #401 (requirements.lock for Python tooling) and #493 (awk → cut plus DL3006 suppression on the OSS-Fuzz base image) merge, the Scorecard Pinned-Dependencies check still reports the following unpinned items. None of them are covered by an existing open issue.
This issue tracks closing every remaining gap so the check can return to 10, with the single permanent exception of the OSS-Fuzz upstream base image (no digest published; deduction is unavoidable).
Residual Findings
containerImage — 2 unpinned (excluding the OSS-Fuzz exception)
pipCommand — 4 unpinned
npmCommand — 2 unpinned
downloadThenRun — 2 unpinned
Permanent Exception
Acceptance Criteria
Dependencies
References
Affected Component
OSSF Scorecard
Pinned-Dependenciescheck (currently normalized to 8/10).Context
After PRs #401 (
requirements.lockfor Python tooling) and #493 (awk → cutplus DL3006 suppression on the OSS-Fuzz base image) merge, the ScorecardPinned-Dependenciescheck still reports the following unpinned items. None of them are covered by an existing open issue.This issue tracks closing every remaining gap so the check can return to 10, with the single permanent exception of the OSS-Fuzz upstream base image (no digest published; deduction is unavoidable).
Residual Findings
containerImage— 2 unpinned (excluding the OSS-Fuzz exception)src/500-application/509-sse-connector/services/connector-test-client/Dockerfile:1— pinmcr.microsoft.com/azurelinux/base/python:3.12to@sha256:8300706a0e644a7e260b6a464a1ae3967181ee9057a4accceaaf0ecdedb1d4a2src/500-application/509-sse-connector/services/sse-server/Dockerfile:1— same pinpipCommand— 4 unpinnedsrc/500-application/510-onvif-connector/services/camera-dashboard/Dockerfile:18— switchpip install -r requirements.txttopip install --require-hashes -r requirements.txt; regeneraterequirements.txtwithuv pip compile --generate-hashes(matches the pattern already used by sibling SSE services).clusterfuzzlite/build_python.sh:31— pin thepyinstallerfallback install topyinstaller==<ver>with--require-hashesagainst a tracked hash file.clusterfuzzlite/build_python.sh:35— same treatment foratheris.clusterfuzzlite/build_python.sh:44—pip install -r requirements.txtfor harness service deps; depends on each harness service shipping a hashedrequirements.txt. Scope this as "use--require-hashesand require harness services to provide hashed requirements"npmCommand— 2 unpinned.clusterfuzzlite/build_js.sh:24— replacenpm install --no-audit --no-fundwithnpm ci; requires committingpackage-lock.jsonforsrc/500-application/513-tiered-notification-service.github/workflows/docs-automation.yml:110— replacenpm install -g markdown-link-check@3.14.2with either:package-lock.json-backednpm ci+npx markdown-link-check, orgaurav-nelson/github-action-markdown-link-check@<sha>), which moves the dependency fromnpmCommandto the already-100%-pinnedGitHubActioncategorydownloadThenRun— 2 unpinnedsrc/100-edge/100-cncf-cluster/scripts/k3s-device-setup.sh:214—curl -sfL https://get.k3s.io | sh -. Refactor to: download the installer to disk, verify SHA256 against a constant tracked alongside the pinnedK3S_VERSION, then execsrc/100-edge/100-cncf-cluster/scripts/k3s-device-setup.sh:227—curl -LO https://dl.k8s.io/release/.../kubectl. Refactor to: fetch the version-matched checksum file fromdl.k8s.io, verify the downloaded binary, then installPermanent Exception
.clusterfuzzlite/Dockerfile:17—gcr.io/oss-fuzz-base/base-builder-rust. OSS-Fuzz does not publish digests for base-builder images. Scorecard will continue to deduct ~0.3 points; documented in PR fix(docker): replace awk with cut for hash verification in Dockerfiles and templates #493.Acceptance Criteria
Pinned-Dependenciescheck reports 9.7+ (10 minus the OSS-Fuzz deduction)Dependencies
requirements.lock) — landed lockfile pattern that this issue extends to camera-dashboardawk → cut+ DL3006) — addresses the parallel hadolint cleanup; not blocking but reduces overlapReferences
Pinned-Dependenciesdocs: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies