Check integrity of third party dependencies #13
Description
To ensure that end users really download the correct packages and do not fall victim to man in the middle attacks or supply chain attacks (third party dependency is manipulated) we recommend to verify the integrity of all third party dependencies.
We could identify three types of third party depdencies:
- Docker images
- pip packages
- Node packages
- Ubuntu/CentOS packages
Node already has a built in integrity check. Docker and pip support integrity check, but it's not checked by default.
We recommend to enable this integrity check in Docker and pip.
For docker we can use the digest of the image
Content trust in Docker
From https://docs.docker.com/engine/security/trust/
In pip we can add the hash to the requirements.txt file
https://pip.pypa.io/en/stable/cli/pip_install/#hash-checking-mode