Refactor Dockerfile to install Poetry using hashed requirements for security

amarauzoma · amarauzoma · commit 708197e9807d · 2026-04-29T11:50:00.000+01:00
diff --git a/lambdas/mock_pds/Dockerfile b/lambdas/mock_pds/Dockerfile
@@ -6,7 +6,10 @@ ENV PIP_ONLY_BINARY=:all: \
 RUN mkdir -p /home/appuser && \
     echo 'appuser:x:1001:1001::/home/appuser:/sbin/nologin' >> /etc/passwd && \
     echo 'appuser:x:1001:' >> /etc/group && \
-    chown -R 1001:1001 /home/appuser && pip install --only-binary :all: "poetry==2.1.4"
+    chown -R 1001:1001 /home/appuser && \
+    printf 'poetry==2.1.4 --hash=sha256:0019b64d33fed9184a332f7fad60ca47aace4d6a0e9c635cdea21b76e96f32ce\n' > /tmp/poetry-requirements.txt && \
+    pip install --only-binary :all: --require-hashes -r /tmp/poetry-requirements.txt && \
+    rm -f /tmp/poetry-requirements.txt
 
 COPY ./mock_pds/poetry.lock ./mock_pds/pyproject.toml ./
 
