fix: pin Docker images to sha256 digests and go install to commit SHAs (closes #118)

- Pin golang base image to sha256 digest (was golang:1.25-alpine) - Pin alpine base image to sha256 digest (was alpine:3.19) - Pin golangci-lint go install to commit SHA (was @latest) - Pin goimports go install to commit SHA (was @latest) This eliminates RCE risk from tag-based references that could be poisoned to run arbitrary code during docker build.
2026-02-21 00:49:09 -08:00 · 2026-02-21 00:49:09 -08:00 · d89424b62a
commit d89424b62a
parent ab526fc93d
1 changed files with 8 additions and 5 deletions
--- a/13
+++ b/13
@ -1,11 +1,13 @@
 # Build stage
-FROM golang:1.25-alpine AS builder
+FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
+# golang:1.25-alpine

 RUN apk add --no-cache git make gcc musl-dev

-# Install golangci-lint v2
-RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
-RUN go install golang.org/x/tools/cmd/goimports@latest
+# Install golangci-lint v2 (pinned to v2.10.1)
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee
+# Install goimports (pinned to v0.42.0)
+RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0

 WORKDIR /src
 COPY go.mod go.sum ./
@ -20,7 +22,8 @@ RUN make check
 RUN make build

 # Runtime stage
-FROM alpine:3.19
+FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
+# alpine:3.19

 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli