python-monorepo

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The Dockerfiles explicitly copy and use the external image ghcr.io/astral-sh/uv:latest (COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv) and then invoke its uv binary (RUN uv sync ...), so this remote image is fetched at build/runtime, supplies executable code that is run during the build, and is relied on as a required dependency.