Pin dockerfile dependencies by hash #16580
Comments
|
this seems like a good idea - there was an issue recently with the alpine upstream image my only concern is that if we pin to a particular version we probs also want to scan ~frequently that there are no issues with the pinned dep @laurentsimon do you want to raise a PR to address the hashes ? if not i can follow up |
phlax
added
area/docker
dependencies
|
There's a problem that sha256 hash differs by architecture, so it doesn't work for our multiarch image build. |
|
I have experience about use SHA256 for different arches and can help if you need. |
|
@daixiang0 do you have some idea how this can be achieved ? if so - please do open a PR and lets see my quick internet search seems to confirm what @lizan has said - but i didnt find any definitive answers - nor any workarounds |
|
regarding my concern about keeping up-to-date - it seems dependabot has support for dockerfiles so that is a non-issue i think |
|
I would post soon. |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
phlax
added
no stalebot
If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged appropriately.
Title: Reduce attack surface by pinning docker dependencies by hash
Description:
scorecard reports
Fix:
Pin dependencies by hash. Example here.
You can retrieve the digest corresponding to the dependencies thru:
The text was updated successfully, but these errors were encountered: