Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions .github/workflows/publish-ecr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@ name: Build-push-scan and Deploy

on:
pull_request:
types: [closed]
branches:
- main
types: [opened, synchronize, reopened]
release:
types: [published]

Expand All @@ -14,7 +12,7 @@ permissions:

jobs:
build-scan-push-latest:
if: github.event_name == 'pull_request' && github.event.pull_request.merged == true
if: github.event_name == 'pull_request'
uses: SFOE-prometheon/github-terraform-workflows/.github/workflows/ecr-build-scan-push.yml@v9
with:
dockerfile: Dockerfile.lambda
Expand Down
29 changes: 29 additions & 0 deletions .inspector-ignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Accepted risk: aws-lambda-rie vulnerabilities
# In the base image's RIE binary, used only for local emulation.
# Never invoked in production Lambda execution.
GHSA-mqqf-5wvp-8fh8 # go-chi open redirect - only in RIE
CVE-2026-39824 # golang.org/x/sys - only in RIE

# Accepted risk: openssl/libsolv in AWS Lambda base image (public.ecr.aws/lambda/python:3.14)
# These are AWS-managed packages with no update available in the repo.
# Verified: `dnf upgrade` returns "Nothing to do" — patches not yet published by AWS.
# Both the managed Python image and the OS-only provided:al2023 image are affected.
# Will be resolved when AWS publishes a new base image digest.
CVE-2026-34182 # openssl critical
CVE-2026-45447 # openssl high
CVE-2026-7383 # openssl high
CVE-2026-48864 # libsolv high
CVE-2026-34183 # openssl high
CVE-2026-45445 # openssl high
CVE-2026-9076 # openssl high
CVE-2026-34180 # openssl high
CVE-2026-42764 # openssl high
CVE-2026-34181 # openssl high
CVE-2026-42768 # openssl high
CVE-2026-9150 # libsolv medium
CVE-2026-9149 # libsolv medium
CVE-2026-42766 # openssl medium
CVE-2026-42769 # openssl medium
CVE-2026-42770 # openssl medium
CVE-2026-42767 # openssl medium
CVE-2026-45446 # openssl medium
13 changes: 6 additions & 7 deletions Dockerfile.lambda
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# from https://docs.astral.sh/uv/guides/integration/aws-lambda/#deploying-a-docker-image

FROM ghcr.io/astral-sh/uv:0.11.7 AS uv
FROM ghcr.io/astral-sh/uv:0.11.24 AS uv

# First, bundle the dependencies into the task root.
FROM public.ecr.aws/lambda/python:3.14 AS builder
Expand Down Expand Up @@ -28,15 +28,14 @@ RUN --mount=from=uv,source=/uv,target=/bin/uv \

FROM public.ecr.aws/lambda/python:3.14

# Patch OS-level packages to latest available versions.
RUN dnf upgrade -y openssl-libs openssl-fips-provider-latest && \
# Patch OS-level packages when updates are available.
# Currently resolves "Nothing to do" but will auto-fix openssl/libsolv CVEs
# once AWS publishes patched RPMs to the AL2023 repo.
RUN dnf upgrade -y --refresh && \
pip install --upgrade pip && \
dnf clean all && \
rm -rf /var/cache/dnf

# Patch aws-lambda-rie to fix CVE-2026-42504, CVE-2026-42507, CVE-2026-27145, CVE-2026-39824, GHSA-mqqf-5wvp-8fh8
ADD https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/download/v1.26.4/aws-lambda-rie-x86_64 /usr/local/bin/aws-lambda-rie
RUN chmod 755 /usr/local/bin/aws-lambda-rie

# Copy the runtime dependencies from the builder stage.
COPY --from=builder ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}

Expand Down
Loading
Loading