You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To ensure that end users really download the correct packages and do not fall victim to man in the middle attacks or supply chain attacks (third party dependency is manipulated) we recommend to verify the integrity of all third party dependencies.
We could identify three types of third party depdencies:
Docker images
pip packages
Node packages
Ubuntu/CentOS packages
Node already has a built in integrity check. Docker and pip support integrity check, but it's not checked by default.
We recommend to enable this integrity check in Docker and pip.
To ensure that end users really download the correct packages and do not fall victim to man in the middle attacks or supply chain attacks (third party dependency is manipulated) we recommend to verify the integrity of all third party dependencies.
We could identify three types of third party depdencies:
Node already has a built in integrity check. Docker and pip support integrity check, but it's not checked by default.
We recommend to enable this integrity check in Docker and pip.
For docker we can use the digest of the image
https://docs.docker.com/engine/reference/commandline/pull/#pull-an-image-by-digest-immutable-identifier
Content trust in Docker
From https://docs.docker.com/engine/security/trust/
In pip we can add the hash to the requirements.txt file
https://pip.pypa.io/en/stable/cli/pip_install/#hash-checking-mode
The text was updated successfully, but these errors were encountered: