Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin image SHA in Dockerfiles #10205

Merged
merged 4 commits into from
Mar 1, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine
FROM alpine:3.17.2@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501
LABEL maintainer="Fleet Developers"

RUN apk --update add ca-certificates
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile-desktop-linux
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=linux/amd64 golang:1.20.1-bullseye
FROM --platform=linux/amd64 golang:1.20.1-bullseye@sha256:745aa72cefb6f9527c1588590982c0bdf85a1be5d611dda849e54b5dbf551506
LABEL maintainer="Fleet Developers"

RUN apt-get update && apt-get install -y \
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.osquery-perf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.20.1-alpine
FROM golang:1.20.1-alpine@sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548

ARG ENROLL_SECRET
ARG HOST_COUNT
Expand Down
1 change: 1 addition & 0 deletions changes/pin-dockerfiles
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- Pin Docker image hashes in Dockerfiles for increased security.
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.19.4-alpine AS builder
FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
RUN apk update && apk add --no-cache git curl openssl unzip
WORKDIR /build
COPY . .
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/sandbox/JITProvisioner/lambda/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.19.4-alpine AS builder
FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
WORKDIR /build
COPY . .
RUN go get -d -v
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/sandbox/Monitoring/lambda/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.19.4-alpine AS builder
FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
WORKDIR /build
COPY . .
RUN go get -d -v
Expand Down
4 changes: 2 additions & 2 deletions infrastructure/sandbox/PreProvisioner/lambda/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
FROM rust:latest AS builder
FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder

ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin

RUN cargo install --version 0.16.0 apple-codesign \
&& curl -sSf $transporter_url -o transporter_install.sh \
&& sh transporter_install.sh --target transporter --accept --noexec

FROM golang:1.19.4-bullseye
FROM golang:1.19.4-bullseye@sha256:9d235ae41bff699b44255bf912e77acac5046b06e61b018561239a35d9bd2ebb

RUN apt-get update \
&& dpkg --add-architecture i386 \
Expand Down
4 changes: 2 additions & 2 deletions tools/bomutils-docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM debian:stable-slim AS builder
FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 AS builder

RUN apt-get update
RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl
Expand All @@ -19,7 +19,7 @@ COPY patch.txt .
RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install


FROM debian:stable-slim
FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8

RUN apt-get update && apt-get install -y --no-install-recommends libxml2 && rm -rf /var/lib/apt/lists/*
COPY --from=builder /usr/bin /usr/bin/
Expand Down
4 changes: 2 additions & 2 deletions tools/fleetctl-docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
FROM rust:latest AS builder
FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder

ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin

RUN cargo install --version 0.16.0 apple-codesign \
&& curl -sSf $transporter_url -o transporter_install.sh \
&& sh transporter_install.sh --target transporter --accept --noexec

FROM debian:stable-slim
FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8

ARG binpath=build/binary-bundle/linux/fleetctl

Expand Down
2 changes: 1 addition & 1 deletion tools/wix-docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM debian:bullseye-slim
FROM debian:bullseye-slim@sha256:cc4cc29b4ba8182fca324920f64ff68a3b24acefd4c7ba8a2e5bd4e81ac3bacf

RUN true \
&& dpkg --add-architecture i386 \
Expand Down