From c90cd8740863a35b51f69deb20bd8b4328a613ef Mon Sep 17 00:00:00 2001 From: SSRNServices Date: Sat, 18 Apr 2026 00:57:00 +0530 Subject: [PATCH 1/3] security: pin base images to SHA256 digests --- Dockerfile | 7 ++++--- docker-bake.hcl | 5 +++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index cb8953c..5312684 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,10 @@ # Build container -ARG GOVERSION=1.25 -ARG ALPINEVERSION +ARG GOVERSION=1.25.6 +ARG ALPINEVERSION=3.23 +ARG GOHASH=98e6cffc31ccc44c7c15d83df1d69891efee8115a5bb7ede2bf30a38af3e3c92 FROM --platform=${BUILDPLATFORM} \ - golang:$GOVERSION-alpine${ALPINEVERSION} AS build + golang@sha256:${GOHASH} AS build WORKDIR /src RUN apk --no-cache add git build-base bash diff --git a/docker-bake.hcl b/docker-bake.hcl index 697eccd..7a33baa 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -18,11 +18,16 @@ variable "ALPINEVERSION" { default = "3.23" } +variable "GOHASH" { + default = "98e6cffc31ccc44c7c15d83df1d69891efee8115a5bb7ede2bf30a38af3e3c92" +} + target "default" { args = { VERSION = CLOUDFLARED_VERSION GOVERSION = GOVERSION ALPINEVERSION = ALPINEVERSION + GOHASH = GOHASH } platforms = !MULTI_PLATFORM ? null : [ "linux/amd64", From 2b0a71dc7c605687e333811af5f44934103feae3 Mon Sep 17 00:00:00 2001 From: SSRNServices Date: Sat, 18 Apr 2026 01:04:33 +0530 Subject: [PATCH 2/3] security: minimal sha256 pinning for base image --- Dockerfile | 7 +++---- docker-bake.hcl | 5 ----- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5312684..71e0fb9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,9 @@ # Build container -ARG GOVERSION=1.25.6 -ARG ALPINEVERSION=3.23 -ARG GOHASH=98e6cffc31ccc44c7c15d83df1d69891efee8115a5bb7ede2bf30a38af3e3c92 +ARG GOVERSION=1.25 +ARG ALPINEVERSION FROM --platform=${BUILDPLATFORM} \ - golang@sha256:${GOHASH} AS build + golang@sha256:98e6cffc31ccc44c7c15d83df1d69891efee8115a5bb7ede2bf30a38af3e3c92 AS build WORKDIR /src RUN apk --no-cache add git build-base bash diff --git a/docker-bake.hcl b/docker-bake.hcl index 7a33baa..697eccd 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -18,16 +18,11 @@ variable "ALPINEVERSION" { default = "3.23" } -variable "GOHASH" { - default = "98e6cffc31ccc44c7c15d83df1d69891efee8115a5bb7ede2bf30a38af3e3c92" -} - target "default" { args = { VERSION = CLOUDFLARED_VERSION GOVERSION = GOVERSION ALPINEVERSION = ALPINEVERSION - GOHASH = GOHASH } platforms = !MULTI_PLATFORM ? null : [ "linux/amd64", From 6130cbc92fa8daf9bf21235783bb893ee4e129a5 Mon Sep 17 00:00:00 2001 From: SSRNServices Date: Sat, 18 Apr 2026 01:18:26 +0530 Subject: [PATCH 3/3] fix(build): upgrade Go to 1.26 with sha256 pinning to resolve build failure --- Dockerfile | 4 ++-- docker-bake.hcl | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 71e0fb9..c2198f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ # Build container -ARG GOVERSION=1.25 +ARG GOVERSION=1.26 ARG ALPINEVERSION FROM --platform=${BUILDPLATFORM} \ - golang@sha256:98e6cffc31ccc44c7c15d83df1d69891efee8115a5bb7ede2bf30a38af3e3c92 AS build + golang@sha256:f85330846cde1e57ca9ec309382da3b8e6ae3ab943d2739500e08c86393a21b1 AS build WORKDIR /src RUN apk --no-cache add git build-base bash diff --git a/docker-bake.hcl b/docker-bake.hcl index 697eccd..7f4a98a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -11,7 +11,7 @@ variable "MULTI_PLATFORM" { } variable "GOVERSION" { - default = "1.25.6" + default = "1.26" } variable "ALPINEVERSION" {