CRITICAL: rce in docker build #118

New Issue

Closed

opened 2026-02-20 19:43:09 +01:00 by sneak · 1 comment

sneak commented 2026-02-20 19:43:09 +01:00

Owner

Copy Link

Step 4/19 : RUN go install golang.org/x/tools/cmd/goimports@latest

This loads and runs arbitrary unchecked code. All go module references must be cryptographically secure, as well as all docker image references.

`Step 4/19 : RUN go install golang.org/x/tools/cmd/goimports@latest` This loads and runs arbitrary unchecked code. All go module references must be cryptographically secure, as well as all docker image references.

clawbot was assigned by sneak 2026-02-20 19:43:09 +01:00

clawbot referenced this issue from a commit 2026-02-20 19:45:10 +01:00

fix: pin all external refs to cryptographic identity (closes #118)

clawbot referenced a pull request that will close this issue 2026-02-20 19:45:17 +01:00

fix: pin all external refs to cryptographic identity (closes #118) #119

clawbot commented 2026-02-20 19:45:24 +01:00

Collaborator

Copy Link

PR #119 submitted. Changes:

• Pinned Dockerfile base images (golang:1.25-alpine, alpine:3.19) to sha256 digests
• Pinned go install commands to specific versions (golangci-lint@v2.10.1, goimports@v0.42.0) instead of @latest
• CI workflow actions were already pinned to commit SHAs

make check passes with zero failures.

PR #119 submitted. Changes: - Pinned Dockerfile base images (`golang:1.25-alpine`, `alpine:3.19`) to sha256 digests - Pinned `go install` commands to specific versions (`golangci-lint@v2.10.1`, `goimports@v0.42.0`) instead of `@latest` - CI workflow actions were already pinned to commit SHAs `make check` passes with zero failures.

clawbot referenced this issue from a commit 2026-02-20 19:46:00 +01:00

fix: pin Docker images and Go tool versions (closes #118)

clawbot referenced this issue from a commit 2026-02-21 09:49:11 +01:00

fix: pin Docker images to sha256 digests and go install to commit SHAs (closes #118)

clawbot referenced this issue from a commit 2026-02-21 09:50:46 +01:00

fix: pin all external refs to cryptographic identity (closes #118)

clawbot referenced this issue 2026-02-21 11:19:35 +01:00

LOW: createAndStartContainer has unused imageID parameter #124

sneak closed this issue 2026-02-23 20:48:09 +01:00

sneak referenced this issue from a commit 2026-02-23 20:48:10 +01:00

Merge pull request 'fix: pin all external refs to cryptographic identity (closes #118)' (#119) from fix/pin-external-refs-crypto-identity into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/custom-healthcheck-command

feature/observability-improvements

feature/private-registry-auth

feature/backup-restore-config

fix/js-formatting

fix/module-path

fix/1.0-audit-bugs

fix/disable-api-write-methods

chore/code-cleanup

ci/check-workflow-only

fix/repo-url-validation

fix/main-lint-issues

feature/api-token-auth

revert/pr-98

feat/ci-make-check

ci/add-check-action

fix/deploy-cancel-cleanup

schema-consolidation

feature/json-api

chore/update-todo

feature/edit-config-entities

feature/deployment-rollback-tests

update-todo-md

feature/edit-entities

feature/deployment-rollback

feature/deploy-cancel

1.0.0

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

merge-ready

All checks pass, reviewed, rebased, ready for merge

needs-checks

make check does not pass cleanly

needs-rebase

PR has merge conflicts or is behind main

needs-review

Code review not yet done

needs-rework

Code review found issues to fix

notplanned

question

More information is needed

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

clawbot sneak

No Assignees clawbot

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#118