-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pin dockerfile dependencies by hash #16580
Comments
this seems like a good idea - there was an issue recently with the alpine upstream image my only concern is that if we pin to a particular version we probs also want to scan ~frequently that there are no issues with the pinned dep @laurentsimon do you want to raise a PR to address the hashes ? if not i can follow up |
There's a problem that sha256 hash differs by architecture, so it doesn't work for our multiarch image build. |
I have experience about use SHA256 for different arches and can help if you need. |
@daixiang0 do you have some idea how this can be achieved ? if so - please do open a PR and lets see my quick internet search seems to confirm what @lizan has said - but i didnt find any definitive answers - nor any workarounds |
regarding my concern about keeping up-to-date - it seems dependabot has support for dockerfiles so that is a non-issue i think |
I would post soon. |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged appropriately.
Title: Reduce attack surface by pinning docker dependencies by hash
Description:
scorecard reports
Fix:
Pin dependencies by hash. Example here.
You can retrieve the digest corresponding to the dependencies thru:
The text was updated successfully, but these errors were encountered: