Atlas image ships google.golang.org/grpc v1.77.0 with critical CVE GHSA-p77j-4mvh-x3m3

## Summary

The `control-plane-migrations` image fails the `no-vulnerabilities-high` policy because the upstream Atlas binary (`arigaio/atlas`) bundles `google.golang.org/grpc` v1.77.0, which is affected by GHSA-p77j-4mvh-x3m3 (Critical, CVSS 9.1) — gRPC-Go authorization bypass via missing leading slash in `:path`.

The fix requires `google.golang.org/grpc` v1.79.3+.

## Current state

* All available Atlas images (`1.1.6`, `latest`/`v1.1.7-8165740-canary`, our pinned `v1.1.7-0f00ade-canary`) ship grpc v1.77.0
* All other Chainloop images (control-plane, artifact-cas, cli) are clean
* Practical risk is low: Atlas is used as a CLI migration tool, not a gRPC server

## Action items

- [X] File upstream issue with [ariga/atlas](<https://github.com/ariga/atlas>) requesting they bump grpc to v1.79.3+ [https://github.com/ariga/atlas/issues/3705](<https://github.com/ariga/atlas/issues/3705>)
- [X] Update `app/controlplane/Dockerfile.migrations` once a fixed Atlas image is available

## References

* [https://github.com/advisories/GHSA-p77j-4mvh-x3m3](<https://github.com/advisories/GHSA-p77j-4mvh-x3m3>)
* Affected file: `app/controlplane/Dockerfile.migrations`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Atlas image ships google.golang.org/grpc v1.77.0 with critical CVE GHSA-p77j-4mvh-x3m3 #2941

Summary

Current state

Action items

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Atlas image ships google.golang.org/grpc v1.77.0 with critical CVE GHSA-p77j-4mvh-x3m3 #2941

Description

Summary

Current state

Action items

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions