Pin image SHA in Dockerfiles (#10205)

## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Secure Dockerfiles Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles. - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2024-11-06 00:45:19 +00:00 · 2023-03-01 11:37:00 -08:00 · 2023-03-01 11:37:00 -08:00 · fb152b9114
commit fb152b9114
parent 74a86ff0ab
11 changed files with 14 additions and 13 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-FROM alpine
+FROM alpine:3.17.2@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501
 LABEL maintainer="Fleet Developers"

 RUN apk --update add ca-certificates
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.20.1-bullseye
+FROM --platform=linux/amd64 golang:1.20.1-bullseye@sha256:745aa72cefb6f9527c1588590982c0bdf85a1be5d611dda849e54b5dbf551506
 LABEL maintainer="Fleet Developers"

 RUN apt-get update && apt-get install -y \
--- a/Dockerfile.osquery-perf
+++ b/Dockerfile.osquery-perf
@ -1,4 +1,4 @@
-FROM golang:1.20.1-alpine
+FROM golang:1.20.1-alpine@sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548

 ARG ENROLL_SECRET
 ARG HOST_COUNT
--- a/changes/pin-dockerfiles
+++ b/changes/pin-dockerfiles
@ -0,0 +1 @@
+- Pin Docker image hashes in Dockerfiles for increased security.
--- a/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile
+++ b/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile
@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 RUN apk update && apk add --no-cache git curl openssl unzip
 WORKDIR /build
 COPY . .
--- a/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile
+++ b/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile
@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 WORKDIR /build
 COPY . .
 RUN go get -d -v
--- a/infrastructure/sandbox/Monitoring/lambda/Dockerfile
+++ b/infrastructure/sandbox/Monitoring/lambda/Dockerfile
@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 WORKDIR /build
 COPY . .
 RUN go get -d -v
--- a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile
+++ b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile
@ -1,4 +1,4 @@
-FROM rust:latest AS builder
+FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder

 ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin

@ -6,7 +6,7 @@ RUN cargo install --version 0.16.0 apple-codesign \
  && curl -sSf $transporter_url -o transporter_install.sh \
  && sh transporter_install.sh --target transporter --accept --noexec

-FROM golang:1.19.4-bullseye
+FROM golang:1.19.4-bullseye@sha256:9d235ae41bff699b44255bf912e77acac5046b06e61b018561239a35d9bd2ebb

 RUN apt-get update \
  && dpkg --add-architecture i386 \
--- a/tools/bomutils-docker/Dockerfile
+++ b/tools/bomutils-docker/Dockerfile
@ -1,4 +1,4 @@
-FROM debian:stable-slim AS builder
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 AS builder

 RUN apt-get update
 RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl
@ -19,7 +19,7 @@ COPY patch.txt .
 RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install


-FROM debian:stable-slim
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8

 RUN apt-get update && apt-get install -y --no-install-recommends libxml2  && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /usr/bin /usr/bin/
--- a/tools/fleetctl-docker/Dockerfile
+++ b/tools/fleetctl-docker/Dockerfile
@ -1,4 +1,4 @@
-FROM rust:latest AS builder
+FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder

 ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin

@ -6,7 +6,7 @@ RUN cargo install --version 0.16.0 apple-codesign \
  && curl -sSf $transporter_url -o transporter_install.sh \
  && sh transporter_install.sh --target transporter --accept --noexec

-FROM debian:stable-slim
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8

 ARG binpath=build/binary-bundle/linux/fleetctl

--- a/tools/wix-docker/Dockerfile
+++ b/tools/wix-docker/Dockerfile
@ -1,4 +1,4 @@
-FROM debian:bullseye-slim
+FROM debian:bullseye-slim@sha256:cc4cc29b4ba8182fca324920f64ff68a3b24acefd4c7ba8a2e5bd4e81ac3bacf

 RUN true \
    && dpkg --add-architecture i386 \
				`@ -0,0 +1 @@`
				`- Pin Docker image hashes in Dockerfiles for increased security.`