Summary
Follow-up from PR #86 review (Kimi-2.6). Two improvements for the
security container image before production OpenShift deployment.
1. pip hash verification
semgrep and bandit are version-pinned but installed without hash
verification. Use pip install --require-hashes -r requirements.txt
with a generated lock file to close the supply chain gap.
This requires hashing all transitive dependencies (~50 packages for
semgrep), so it was deferred from the initial PR.
2. OCI labels and HEALTHCHECK
Add standard OCI metadata labels (org.opencontainers.image.source,
.version, .description) and a HEALTHCHECK instruction for
production runtime visibility.
Note: Kubernetes deployments typically configure liveness/readiness
probes in the deployment manifest, so HEALTHCHECK is lower priority
than OCI labels for image inventory and SBOM generation.
Related
Summary
Follow-up from PR #86 review (Kimi-2.6). Two improvements for the
security container image before production OpenShift deployment.
1. pip hash verification
semgrepandbanditare version-pinned but installed without hashverification. Use
pip install --require-hashes -r requirements.txtwith a generated lock file to close the supply chain gap.
This requires hashing all transitive dependencies (~50 packages for
semgrep), so it was deferred from the initial PR.
2. OCI labels and HEALTHCHECK
Add standard OCI metadata labels (
org.opencontainers.image.source,.version,.description) and aHEALTHCHECKinstruction forproduction runtime visibility.
Note: Kubernetes deployments typically configure liveness/readiness
probes in the deployment manifest, so
HEALTHCHECKis lower prioritythan OCI labels for image inventory and SBOM generation.
Related