Skip to content

chore: Update Docker images to latest releases #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 14, 2025
Merged

chore: Update Docker images to latest releases #140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion caddy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

# Define a build argument for the Caddy version with a sensible default.
# This allows the version to be easily overridden from the docker-compose.yml file.
ARG CADDY_VERSION=2.10.0
ARG CADDY_VERSION=2.10.2

# Use the official Caddy image with the latest tag.
FROM caddy:${CADDY_VERSION}
Expand Down
8 changes: 4 additions & 4 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ services:
context: ./caddy
dockerfile: Dockerfile
args:
- CADDY_VERSION=2.10.0
- CADDY_VERSION=2.10.2

profiles: ["prod"]
container_name: oullin_proxy_prod
Expand All @@ -60,7 +60,7 @@ services:
context: ./caddy
dockerfile: Dockerfile
args:
- CADDY_VERSION=latest
- CADDY_VERSION=2.10.2

profiles: ["local"]
container_name: oullin_local_proxy
Expand Down Expand Up @@ -155,7 +155,7 @@ services:
- api

api-db-migrate:
image: migrate/migrate:v4.18.3
image: migrate/migrate:v4.19.0
container_name: oullin_db_migrate
networks:
- oullin_net
Expand Down Expand Up @@ -188,7 +188,7 @@ services:
# Ensure the database always restarts on server reboot or crash.
restart: always

image: postgres:17.3-alpine
image: postgres:17.6-alpine3.22
container_name: oullin_db

env_file:
Expand Down
4 changes: 2 additions & 2 deletions docker/dockerfile-api
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ ARG TZ=Asia/Singapore
# ----------------------------------------------------------------------------------------------------------------------
# BUILDER STAGE
# ----------------------------------------------------------------------------------------------------------------------
FROM golang:1.25.1-alpine@sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd AS builder
FROM golang:1.25.3-alpine3.22@sha256:c3dc5d5e8cf34ccb2172fb8d1aa399aa13cd8b60d27bba891d18e3b436a0c5f6 AS builder

# Bring in the build args needed in this stage.
ARG APP_DIR
Expand Down Expand Up @@ -82,7 +82,7 @@ RUN go build \
# ----------------------------------------------------------------------------------------------------------------------
# FINAL STAGE
# ----------------------------------------------------------------------------------------------------------------------
FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
FROM alpine:3.22@sha256:85f2b723e106c34644cd5851d7e81ee87da98ac54672b29947c052a45d31dc2f
Copy link

@coderabbitai coderabbitai bot Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Alpine base image digest.

The Alpine base image digest has been updated. Please confirm that this digest corresponds to the correct alpine:3.22 image and check for any security advisories.

🏁 Script executed:

#!/bin/bash
# Description: Verify the Alpine 3.22 image digest and check for security advisories

# Fetch the latest digest for alpine:3.22 from Docker Hub
echo "Fetching digest for alpine:3.22..."
curl -s "https://hub.docker.com/v2/repositories/library/alpine/tags/3.22" | jq -r '.digest'

# Check for security advisories
echo -e "\nChecking for security advisories..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: ALPINE, package: "alpine") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 623

Update Alpine base image digest and scan for vulnerabilities

  • Replace the pinned digest on line 85 with sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412
  • Run a container vulnerability scan (e.g. trivy image alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412) and resolve any critical CVEs
🤖 Prompt for AI Agents 
In docker/dockerfile-api around line 85, replace the current Alpine 3.22 image
digest with
sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 and then
run a container vulnerability scan (for example: trivy image
alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412)
and address any critical/high CVEs found by updating packages, switching to a
patched base image, or applying mitigations before committing the change.


# Bring in the runtime args.
ARG APP_USER
Expand Down
Loading