SLSA provenance and supply chain hardening for agentsec itself

[debu-sinha]

Problem or use case

A security tool asking users to trust it must be verifiable. agentsec depends on broad version ranges (detect-secrets>=1.4,<2, pyyaml>=6.0,<7). A compromised dependency could exfiltrate the secrets agentsec scans. No pinned lockfile, no SLSA provenance, no Sigstore signatures on PyPI releases.

Proposed solution

1. Ship a pinned lockfile with hashes for all dependencies
2. Add SLSA Level 2+ provenance to PyPI releases via GitHub Actions
3. Add Sigstore signatures on release artifacts
4. Support pip install --require-hashes compatible install path
5. Add dependency hash verification in CI

Area

Build / supply chain