Skip to content

chore: Pinned-Dependencies #96 #3072

Open
Open
chore: Pinned-Dependencies #96#3072
Labels
area/dependencyIssues or PRs related to dependency changesarea/securityIssues or PRs related to security
@Tomasz-Smelcerz-SAP

Description

@Tomasz-Smelcerz-SAP
Tomasz-Smelcerz-SAP
opened on Feb 24, 2026

Description

GitHub code scanning tool reports we don't pin Istio dependency
The problem is in the scripts/install/istioctl_install.sh:31
We don't pin it indeed.
By "pinning" I mean using some sort of cryptographic hash to uniquely identify the version.
As we're not using any standard dependency management tool, but we're just downloading the binary from the release page, we can't just "pin" it declaratively.
What we can do though is to extend the scripts/install/istioctl_install.sh script to verify the download file digest.
The question is how we then store the digest.
I vote for extending the versions.yaml file in the following way:
currently:
istio: "1.26.4"
after changes
`istio: "1.26.4@bd9844087a51e8429823579a40a8cfa9da20268dd368151a24be910eebcd1445"

In this way, it's clear the version is "pinned" and we have to handle the digest in every place we're using the value.
Feel free to propose another solution though, if there is a better one or this one can't be implemented.

Reasons

Reduce the risk of "supply-chain-attack".

No response

Acceptance Criteria

  • Istio version installed when running tests is "pinned" using cryptographic digest.

See also

#2645

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/dependencyIssues or PRs related to dependency changesarea/securityIssues or PRs related to security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions