stackrox · mclasmeier · Mar 30, 2026 · Mar 20, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@
 # Supports multi-architecture builds (amd64, arm64)
 
 # Stage 1: Build roxie binary
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25-alpine AS builder
+FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/go-toolset:1.25@sha256:2830e4bd1c394ed506c00a9abbb4d00445e2e72e8ef4e3cd51e0da0db66dee12 AS builder
 
 # Build arguments for cross-compilation
 # These are automatically provided by Docker buildx
@@ -12,9 +12,6 @@ ARG TARGETARCH
 
 WORKDIR /build
 
-# Install build dependencies
-RUN apk add --no-cache git ca-certificates
-
 # Copy go mod files first for better layer caching
 COPY go.mod go.sum ./
 RUN go mod download
@@ -33,22 +30,62 @@ RUN echo "Building for ${TARGETOS}/${TARGETARCH}" && \
     ./cmd
 
 # Download gcloud SDK in builder stage to avoid UBI filesystem restrictions
-ARG GCLOUD_VERSION=latest
-RUN apk add --no-cache curl python3 && \
-    ARCH=${TARGETARCH:-amd64} && \
+# Latest version including checksums can be found at:
+#   https://docs.cloud.google.com/sdk/docs/install-sdk#linux
+#
+# Unfortunately Googles release pipelines currently do not properly support versioned, checksum-protected downloads, 
+#
+# THE PROBLEM
+#
+#   The page https://docs.cloud.google.com/sdk/docs/install-sdk#linux references download links which are
+#   unversioned, which is not suitable for CI. For these unversioned links the page contains checksums.
+#
+#   The SDK can also be downloaded throught versioned links, which is suitable for CI usage. However, these
+#   versioned links are not referenced in the page and -- more importantly -- the checksums of both
+#   files (versioned and unversioned) are *not* the same. They differ in the filename contained in the gzip header.
+#
+# THE WORKAROUND
+#
+#   I have downloaded both files, versioned and unversioned, together with the latest checksum
+#   from the download page for the unversioned file. Then I have decompressed both files, verified
+#   that both archives are bytewise identical and then I have compted the sha256 of the versioned file
+#   and inserted it here.
+#
+#   Example:
+#
+#   ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz
+#   ❯ curl -sLfO https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-562.0.0-linux-x86_64.tar.gz
+#   ❯ UNVERSIONED_CHECKSUM=38bd4f203392354fa7cc5514ee38ea02bb808aa5f1f7e00257806abf782dde38
+#   ❯ gzip -dk google-cloud-cli-562.0.0-linux-x86_64.tar.gz; gzip -dk google-cloud-cli-linux-x86_64.tar.gz
+#   ❯ echo "${UNVERSIONED_CHECKSUM} google-cloud-cli-linux-x86_64.tar.gz" | sha256sum -c -
+#   google-cloud-cli-linux-x86_64.tar.gz: OK
+#   ❯ cmp google-cloud-cli-562.0.0-linux-x86_64.tar google-cloud-cli-linux-x86_64.tar
+#   ❯ sha256 google-cloud-cli-562.0.0-linux-x86_64.tar.gz
+#   SHA256 (google-cloud-cli-562.0.0-linux-x86_64.tar.gz) = 016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3
+#
+ARG GCLOUD_VERSION=562.0.0
+ARG GCLOUD_ARM64_SHA256=a9ebaa0f4020ea0487c2c935af3d4566d1b4a1ccae685c6b7141211fc96424ee
+ARG GCLOUD_AMD64_SHA256=016a4b1702f8c97b585f9ae12c6182762758c17ef5302cb8561c7f6be5cc9af3
+RUN ARCH=${TARGETARCH:-amd64} && \
     if [ "${ARCH}" = "amd64" ]; then \
         GCLOUD_ARCH="x86_64"; \
+        GCLOUD_SHA256=${GCLOUD_AMD64_SHA256}; \
     elif [ "${ARCH}" = "arm64" ]; then \
         GCLOUD_ARCH="arm"; \
+        GCLOUD_SHA256=${GCLOUD_ARM64_SHA256}; \
     else \
         echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
     fi && \
-    curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-${GCLOUD_ARCH}.tar.gz" | \
-    tar -xz -C /tmp && \
+    filename="google-cloud-cli-${GCLOUD_VERSION}-linux-${GCLOUD_ARCH}.tar.gz" && \
+    url="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/${filename}" && \
+    echo "Downloading gcloud SDK from: ${url}" && \
+    curl -o "/tmp/${filename}" -fsSL "${url}" && \
+    echo "${GCLOUD_SHA256} /tmp/${filename}" | sha256sum -c - && \
+    tar -xz -C /tmp -f "/tmp/${filename}" && \
     /tmp/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet
 
 # Stage 2: Runtime image based on Red Hat UBI Minimal
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183
 
 # Architecture detection for multi-arch builds
 ARG TARGETARCH
@@ -76,40 +113,47 @@ RUN microdnf install -y \
     && rm -rf /var/cache/yum
 
 # Install kubectl - architecture-aware
-ARG KUBECTL_VERSION=v1.29.0
+# Checksums can be found at
+#   https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256.
+ARG KUBECTL_VERSION=v1.35.3
+ARG KUBECTL_ARM64_SHA256=6f0cd088a82dde5d5807122056069e2fac4ed447cc518efc055547ae46525f14
+ARG KUBECTL_AMD64_SHA256=fd31c7d7129260e608f6faf92d5984c3267ad0b5ead3bced2fe125686e286ad6
 RUN ARCH=${TARGETARCH:-amd64} && \
     echo "Installing kubectl for ${ARCH}" && \
-    curl -fsSLo /usr/local/bin/kubectl \
-    "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \
-    && chmod +x /usr/local/bin/kubectl
-
-# Install helm - architecture-aware
-ARG HELM_VERSION=v3.14.0
-RUN ARCH=${TARGETARCH:-amd64} && \
-    echo "Installing helm for ${ARCH}" && \
-    curl -fsSL "https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz" | \
-    tar -xzO "linux-${ARCH}/helm" > /usr/local/bin/helm && \
-    chmod +x /usr/local/bin/helm
+    if [ "${ARCH}" = "arm64" ]; then \
+        KUBECTL_SHA256=${KUBECTL_ARM64_SHA256}; \
+    elif [ "${ARCH}" = "amd64" ]; then \
+        KUBECTL_SHA256=${KUBECTL_AMD64_SHA256}; \
+    else \
+        echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
+    fi && \
+    url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \
+    echo "Downloading kubectl from: ${url}" && \
+    curl -fsSLo /usr/local/bin/kubectl "${url}" && \
+    echo "${KUBECTL_SHA256}  /usr/local/bin/kubectl" | sha256sum -c - && \
+    chmod +x /usr/local/bin/kubectl
 
 # Install roxctl - architecture-aware
 # The mirror has architecture-specific binaries: 'roxctl' (amd64) and 'roxctl-arm64'
-# Override with --build-arg ROXCTL_VERSION=4.x.x for specific versions
-ARG ROXCTL_VERSION=latest
+ARG ROXCTL_VERSION=4.10.0
+ARG ROXCTL_ARM64_SHA256=a3951413d56671e46413009d31004d984e9c77c7520f35c8f062f5bd4e4f8212
+ARG ROXCTL_AMD64_SHA256=5db647b14569465866c0162522e83393ebf02f671f4556b1b3ed551b9f8433bc
 RUN ARCH=${TARGETARCH:-amd64} && \
     echo "Installing roxctl for ${ARCH}" && \
     if [ "${ARCH}" = "arm64" ]; then \
         ROXCTL_BINARY="roxctl-arm64"; \
+        ROXCTL_SHA256=${ROXCTL_ARM64_SHA256}; \
     elif [ "${ARCH}" = "amd64" ]; then \
         ROXCTL_BINARY="roxctl"; \
+        ROXCTL_SHA256=${ROXCTL_AMD64_SHA256}; \
     else \
         echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1; \
     fi && \
-    ROXCTL_PATH=$([ "${ROXCTL_VERSION}" = "latest" ] && echo "latest" || echo "${ROXCTL_VERSION}") && \
-    ROXCTL_URL="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_PATH}/bin/Linux/${ROXCTL_BINARY}" && \
-    echo "Downloading from: ${ROXCTL_URL}" && \
-    curl -fsSLo /usr/local/bin/roxctl "${ROXCTL_URL}" && \
-    chmod +x /usr/local/bin/roxctl && \
-    echo "roxctl installed successfully for ${ARCH}"
+    url="https://mirror.openshift.com/pub/rhacs/assets/${ROXCTL_VERSION}/bin/Linux/${ROXCTL_BINARY}" && \
+    echo "Downloading from: ${url}" && \
+    curl -fsSLo /usr/local/bin/roxctl "${url}" && \
+    echo "${ROXCTL_SHA256}  /usr/local/bin/roxctl" | sha256sum -c - && \
+    chmod +x /usr/local/bin/roxctl
 
 # Install podman (required for extracting operator bundles)
 # fuse-overlayfs provides better performance but vfs driver is more compatible
@@ -127,16 +171,18 @@ RUN ln -s /opt/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud && \
     ln -s /opt/google-cloud-sdk/bin/gke-gcloud-auth-plugin /usr/local/bin/gke-gcloud-auth-plugin
 
 # 2. AWS (EKS) - aws-iam-authenticator
+# Using GitHub releases for latest version (AWS S3 bucket has outdated versions)
+ARG AWS_IAM_AUTH_VERSION=0.7.12
 RUN ARCH=${TARGETARCH:-amd64} && \
-    echo "Installing aws-iam-authenticator for ${ARCH}" && \
+    echo "Installing aws-iam-authenticator v${AWS_IAM_AUTH_VERSION} for ${ARCH}" && \
     curl -fsSLo /usr/local/bin/aws-iam-authenticator \
-    "https://amazon-eks.s3.us-west-2.amazonaws.com/1.30.0/2024-05-12/bin/linux/${ARCH}/aws-iam-authenticator" && \
+    "https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_IAM_AUTH_VERSION}/aws-iam-authenticator_${AWS_IAM_AUTH_VERSION}_linux_${ARCH}" && \
     chmod +x /usr/local/bin/aws-iam-authenticator
 
 # 3. Azure (AKS) - kubelogin
 RUN ARCH=${TARGETARCH:-amd64} && \
     echo "Installing kubelogin (Azure) for ${ARCH}" && \
-    KUBELOGIN_VERSION="v0.1.4" && \
+    KUBELOGIN_VERSION="v0.2.16" && \
     curl -fsSL "https://github.com/Azure/kubelogin/releases/download/${KUBELOGIN_VERSION}/kubelogin-linux-${ARCH}.zip" \
     -o /tmp/kubelogin.zip && \
     unzip -q /tmp/kubelogin.zip -d /tmp && \

diff --git a/go.mod b/go.mod
@@ -1,19 +1,19 @@
 module github.com/stackrox/roxie
 
-go 1.25
+go 1.25.0
 
 require (
-	github.com/fatih/color v1.16.0
+	github.com/fatih/color v1.19.0
 	github.com/moby/sys/mountinfo v0.7.2
-	github.com/spf13/cobra v1.8.0
-	golang.org/x/term v0.38.0
+	github.com/spf13/cobra v1.10.2
+	golang.org/x/term v0.41.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/sys v0.39.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,26 +1,26 @@
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
-github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
+github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=