fastapi-sqlalchemy-asyncpg icon indicating copy to clipboard operation
fastapi-sqlalchemy-asyncpg copied to clipboard
Published 2 months ago verified publisher icon grillazz

Use immutable digest for UV container image

Open Copilot opened this issue 2 months ago • 1 comments

The Dockerfile referenced the UV tooling image by mutable tag (ghcr.io/astral-sh/uv:0.9.17), allowing supply chain attacks if the tag is replaced with a malicious image.

Changes:

  • Pin UV image to immutable digest: ghcr.io/astral-sh/uv:0.9.17@sha256:5cb6b54d2bc3fe2eb9a8483db958a0b9eebf9edff68adedb369df8e7b98711a2

The digest ensures the exact image contents are verified via SHA256 hash, preventing execution of backdoored binaries during uv sync.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Dec 18 '25 19:12 Copilot

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Copilot avatar Dec 18 '25 19:12 Copilot