From d89424b62a921dddea9eab6eea7a16e5c7cc3240 Mon Sep 17 00:00:00 2001 From: user Date: Sat, 21 Feb 2026 00:49:09 -0800 Subject: [PATCH] fix: pin Docker images to sha256 digests and go install to commit SHAs (closes #118) - Pin golang base image to sha256 digest (was golang:1.25-alpine) - Pin alpine base image to sha256 digest (was alpine:3.19) - Pin golangci-lint go install to commit SHA (was @latest) - Pin goimports go install to commit SHA (was @latest) This eliminates RCE risk from tag-based references that could be poisoned to run arbitrary code during docker build. --- Dockerfile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4f425ea..8dcd60e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,13 @@ # Build stage -FROM golang:1.25-alpine AS builder +FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder +# golang:1.25-alpine RUN apk add --no-cache git make gcc musl-dev -# Install golangci-lint v2 -RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest -RUN go install golang.org/x/tools/cmd/goimports@latest +# Install golangci-lint v2 (pinned to v2.10.1) +RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee +# Install goimports (pinned to v0.42.0) +RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 WORKDIR /src COPY go.mod go.sum ./ @@ -20,7 +22,8 @@ RUN make check RUN make build # Runtime stage -FROM alpine:3.19 +FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1 +# alpine:3.19 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli