Skip to content

fix: resolve main image scan failures#1742

Merged
EItanya merged 4 commits intokagent-dev:mainfrom
jsonmp-k8:fix/main-image-scan-failures
Apr 25, 2026
Merged

fix: resolve main image scan failures#1742
EItanya merged 4 commits intokagent-dev:mainfrom
jsonmp-k8:fix/main-image-scan-failures

Conversation

@jsonmp-k8
Copy link
Copy Markdown
Contributor

@jsonmp-k8 jsonmp-k8 commented Apr 24, 2026

Summary

  • fix the image-scan workflow so the golang-adk-full job scans the image name and tag that make build-golang-adk-full actually publishes
  • patch the pinned sandbox-runtime install in the app and full Go images to replace the vulnerable locked lodash-es version without repinning the whole external runtime
  • raise the runtime google-adk floor to a fixed 1.x release, refresh python/uv.lock, and update the ADK Python template pin

Verification

  • make lint
  • uv run pytest packages/kagent-adk/tests/unittests/converters/test_consts_sync.py

@jsonmp-k8
fix: resolve main image scan failures
dbbbe57 
Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
Copilot AI review requested due to automatic review settings April 24, 2026 04:00
@github-actions github-actions Bot added the bug Something isn't working label Apr 24, 2026
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes CI image vulnerability scanning for the Go ADK “full” image, patches the pinned sandbox-runtime install to address a vulnerable lodash-es lock, and updates Python ADK dependency floors/lockfiles.

Changes:

  • Update .github/workflows/image-scan.yaml matrix to scan the correct image name/tag for golang-adk-full (name golang-adk, tag suffix -full).
  • Patch sandbox-runtime installation steps in python/Dockerfile and go/Dockerfile.full to install a fixed lodash-es version while keeping the pinned runtime revision.
  • Raise google-adk minimum version constraints and refresh python/uv.lock, plus update the Python ADK template pin.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
python/uv.lock Updates locked dependency set, including google-adk and related Google packages.
python/packages/kagent-adk/pyproject.toml Raises google-adk floor to >=1.28.1,<2.
python/packages/agentsts-adk/pyproject.toml Raises google-adk floor to >=1.28.1,<2.
python/Dockerfile Adjusts sandbox-runtime install to force a non-vulnerable lodash-es version.
go/core/cli/internal/agent/frameworks/adk/python/templates/pyproject.toml.tmpl Updates template pin for google-adk.
go/Dockerfile.full Adjusts sandbox-runtime install to force a non-vulnerable lodash-es version.
.github/workflows/image-scan.yaml Fixes scan target selection to match the image tag published by make build-golang-adk-full.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread python/Dockerfile Outdated
@jsonmp-k8
fix: use absolute /opt path in python Dockerfile
5fd9470 
Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
jeffspahr
jeffspahr reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jeffspahr jeffspahr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found one security hygiene issue in the sandbox-runtime patch: the replacement version currently pins a deprecated bad lodash-es release. 4.18.1 builds and audits clean in the same sandbox-runtime install flow.

Comment thread go/Dockerfile.full Outdated
Comment thread python/Dockerfile Outdated
@jsonmp-k8
fix: use lodash-es@4.18.1 instead of deprecated 4.18.0
a287e2e 
lodash-es@4.18.0 is marked as deprecated by npm ("Bad release. Please
use lodash-es@4.17.23 instead."). Use 4.18.1 which is not deprecated
and passes npm audit with zero vulnerabilities.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
@jsonmp-k8
Copy link
Copy Markdown
Contributor Author

jsonmp-k8 commented Apr 24, 2026

@EItanya This one too

@EItanya
Copy link
Copy Markdown
Contributor

EItanya commented Apr 25, 2026

Thanks so much for tracking these down :)

@EItanya EItanya merged commit 740f7ea into kagent-dev:main Apr 25, 2026
23 checks passed
@BrewTestBot BrewTestBot mentioned this pull request May 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EItanya EItanya EItanya approved these changes

@ilackarms ilackarms Awaiting requested review from ilackarms ilackarms is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

@peterj peterj Awaiting requested review from peterj peterj is a code owner

@supreme-gg-gg supreme-gg-gg Awaiting requested review from supreme-gg-gg supreme-gg-gg is a code owner

@iplay88keys iplay88keys Awaiting requested review from iplay88keys iplay88keys is a code owner

@jmhbh jmhbh Awaiting requested review from jmhbh jmhbh is a code owner

+1 more reviewer

@jeffspahr jeffspahr jeffspahr left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jsonmp-k8 @EItanya @jeffspahr