trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

security: add SHA256 checksum verification for TA-Lib download in ML Dockerfile

Browse source 
Splits the monolithic TA-Lib build RUN command to insert an ARG for the
expected SHA256 hash and a sha256sum -c verification step immediately after
the wget download, before extraction and build. Marks task 6.5 complete.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marko Djordjevic 2026-02-18 11:36:06 +01:00
parent a6e0697ab5
commit e146de2e05
2 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
openspec/changes/code-review-fix/tasks.md
View file

@ -56,7 +56,7 @@
- [x] 6.2 `[sonnet]` Add `USER appuser` to `services/ml/Dockerfile`: create user with `useradd`, set ownership, add USER directive before CMD
- [x] 6.3 `[haiku]` Create `.dockerignore` with `.git`, `.env`, `.env*`, `node_modules`, `.next`, `data/`, `*.md`, `__pycache__/`, `mlruns/`, `models/`
- [x] 6.4 `[haiku]` Change TA-Lib download URL to HTTPS in `services/ml/Dockerfile:10`
- [ ] 6.5 `[sonnet]` Add SHA256 checksum verification for TA-Lib download in `services/ml/Dockerfile`
- [x] 6.5 `[sonnet]` Add SHA256 checksum verification for TA-Lib download in `services/ml/Dockerfile`
- [ ] 6.6 `[haiku]` Remove `COPY --from=builder /app/node_modules ./node_modules` line from `Dockerfile:29` (standalone doesn't need it)
- [ ] 6.7 `[sonnet]` Pin Docker base images to `@sha256:` digests in both Dockerfiles
- [ ] 6.8 `[haiku]` Fix healthcheck tool mismatch: use same tool (curl) in Dockerfile and docker-compose.yml