Pin image SHA in Dockerfiles

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine
+FROM alpine:3.17.2@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501
 LABEL maintainer="Fleet Developers"
 
 RUN apk --update add ca-certificates

Dockerfile-desktop-linux

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.20.1-bullseye
+FROM --platform=linux/amd64 golang:1.20.1-bullseye@sha256:745aa72cefb6f9527c1588590982c0bdf85a1be5d611dda849e54b5dbf551506
 LABEL maintainer="Fleet Developers"
 
 RUN apt-get update && apt-get install -y \

Dockerfile.osquery-perf

@@ -1,4 +1,4 @@
-FROM golang:1.20.1-alpine
+FROM golang:1.20.1-alpine@sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548
 
 ARG ENROLL_SECRET
 ARG HOST_COUNT

changes/pin-dockerfiles

@@ -0,0 +1 @@
+- Pin Docker image hashes in Dockerfiles for increased security.

infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 RUN apk update && apk add --no-cache git curl openssl unzip
 WORKDIR /build
 COPY . .

infrastructure/sandbox/JITProvisioner/lambda/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 WORKDIR /build
 COPY . .
 RUN go get -d -v

infrastructure/sandbox/Monitoring/lambda/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 WORKDIR /build
 COPY . .
 RUN go get -d -v

infrastructure/sandbox/PreProvisioner/lambda/Dockerfile

@@ -1,12 +1,12 @@
-FROM rust:latest AS builder
+FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder
 
 ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin
 
 RUN cargo install --version 0.16.0 apple-codesign \
   && curl -sSf $transporter_url -o transporter_install.sh \
   && sh transporter_install.sh --target transporter --accept --noexec
 
-FROM golang:1.19.4-bullseye
+FROM golang:1.19.4-bullseye@sha256:9d235ae41bff699b44255bf912e77acac5046b06e61b018561239a35d9bd2ebb
 
 RUN apt-get update \
   && dpkg --add-architecture i386 \

tools/bomutils-docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:stable-slim AS builder
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 AS builder
 
 RUN apt-get update
 RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl
@@ -19,7 +19,7 @@ COPY patch.txt .
 RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install
 
 
-FROM debian:stable-slim
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8
 
 RUN apt-get update && apt-get install -y --no-install-recommends libxml2  && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /usr/bin /usr/bin/

tools/fleetctl-docker/Dockerfile

@@ -1,12 +1,12 @@
-FROM rust:latest AS builder
+FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder
 
 ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin
 
 RUN cargo install --version 0.16.0 apple-codesign \
   && curl -sSf $transporter_url -o transporter_install.sh \
   && sh transporter_install.sh --target transporter --accept --noexec
 
-FROM debian:stable-slim
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8
 
 ARG binpath=build/binary-bundle/linux/fleetctl
 

tools/wix-docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bullseye-slim
+FROM debian:bullseye-slim@sha256:cc4cc29b4ba8182fca324920f64ff68a3b24acefd4c7ba8a2e5bd4e81ac3bacf
 
 RUN true \
     && dpkg --add-architecture i386 \