From fb152b91146dac4ee589c9a4d84070651ccf7845 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 1 Mar 2023 11:37:00 -0800 Subject: [PATCH] Pin image SHA in Dockerfiles (#10205) ## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Secure Dockerfiles Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles. - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot --------- Signed-off-by: StepSecurity Bot Co-authored-by: Zach Wasserman --- Dockerfile | 2 +- Dockerfile-desktop-linux | 2 +- Dockerfile.osquery-perf | 2 +- changes/pin-dockerfiles | 1 + .../sandbox/JITProvisioner/deprovisioner/Dockerfile | 2 +- infrastructure/sandbox/JITProvisioner/lambda/Dockerfile | 2 +- infrastructure/sandbox/Monitoring/lambda/Dockerfile | 2 +- infrastructure/sandbox/PreProvisioner/lambda/Dockerfile | 4 ++-- tools/bomutils-docker/Dockerfile | 4 ++-- tools/fleetctl-docker/Dockerfile | 4 ++-- tools/wix-docker/Dockerfile | 2 +- 11 files changed, 14 insertions(+), 13 deletions(-) create mode 100644 changes/pin-dockerfiles diff --git a/Dockerfile b/Dockerfile index cc48932cd..3706f66a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine +FROM alpine:3.17.2@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 LABEL maintainer="Fleet Developers" RUN apk --update add ca-certificates diff --git a/Dockerfile-desktop-linux b/Dockerfile-desktop-linux index 8ae5e4954..b574cac63 100644 --- a/Dockerfile-desktop-linux +++ b/Dockerfile-desktop-linux @@ -1,4 +1,4 @@ -FROM --platform=linux/amd64 golang:1.20.1-bullseye +FROM --platform=linux/amd64 golang:1.20.1-bullseye@sha256:745aa72cefb6f9527c1588590982c0bdf85a1be5d611dda849e54b5dbf551506 LABEL maintainer="Fleet Developers" RUN apt-get update && apt-get install -y \ diff --git a/Dockerfile.osquery-perf b/Dockerfile.osquery-perf index 5ab78774a..fa92bf802 100644 --- a/Dockerfile.osquery-perf +++ b/Dockerfile.osquery-perf @@ -1,4 +1,4 @@ -FROM golang:1.20.1-alpine +FROM golang:1.20.1-alpine@sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548 ARG ENROLL_SECRET ARG HOST_COUNT diff --git a/changes/pin-dockerfiles b/changes/pin-dockerfiles new file mode 100644 index 000000000..378e55951 --- /dev/null +++ b/changes/pin-dockerfiles @@ -0,0 +1 @@ +- Pin Docker image hashes in Dockerfiles for increased security. diff --git a/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile b/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile index 8483908fc..edd6ec542 100644 --- a/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile +++ b/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine AS builder +FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder RUN apk update && apk add --no-cache git curl openssl unzip WORKDIR /build COPY . . diff --git a/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile b/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile index b7e0913b6..ac1ca4c98 100644 --- a/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile +++ b/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine AS builder +FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder WORKDIR /build COPY . . RUN go get -d -v diff --git a/infrastructure/sandbox/Monitoring/lambda/Dockerfile b/infrastructure/sandbox/Monitoring/lambda/Dockerfile index ad9e4cba1..99e0191a6 100644 --- a/infrastructure/sandbox/Monitoring/lambda/Dockerfile +++ b/infrastructure/sandbox/Monitoring/lambda/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine AS builder +FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder WORKDIR /build COPY . . RUN go get -d -v diff --git a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile index 9edd16cb0..73c13897e 100644 --- a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile +++ b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:latest AS builder +FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin @@ -6,7 +6,7 @@ RUN cargo install --version 0.16.0 apple-codesign \ && curl -sSf $transporter_url -o transporter_install.sh \ && sh transporter_install.sh --target transporter --accept --noexec -FROM golang:1.19.4-bullseye +FROM golang:1.19.4-bullseye@sha256:9d235ae41bff699b44255bf912e77acac5046b06e61b018561239a35d9bd2ebb RUN apt-get update \ && dpkg --add-architecture i386 \ diff --git a/tools/bomutils-docker/Dockerfile b/tools/bomutils-docker/Dockerfile index a692c7a22..2027428be 100644 --- a/tools/bomutils-docker/Dockerfile +++ b/tools/bomutils-docker/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:stable-slim AS builder +FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 AS builder RUN apt-get update RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl @@ -19,7 +19,7 @@ COPY patch.txt . RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install -FROM debian:stable-slim +FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 RUN apt-get update && apt-get install -y --no-install-recommends libxml2 && rm -rf /var/lib/apt/lists/* COPY --from=builder /usr/bin /usr/bin/ diff --git a/tools/fleetctl-docker/Dockerfile b/tools/fleetctl-docker/Dockerfile index 4da4cb683..10cbdf70f 100644 --- a/tools/fleetctl-docker/Dockerfile +++ b/tools/fleetctl-docker/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:latest AS builder +FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin @@ -6,7 +6,7 @@ RUN cargo install --version 0.16.0 apple-codesign \ && curl -sSf $transporter_url -o transporter_install.sh \ && sh transporter_install.sh --target transporter --accept --noexec -FROM debian:stable-slim +FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 ARG binpath=build/binary-bundle/linux/fleetctl diff --git a/tools/wix-docker/Dockerfile b/tools/wix-docker/Dockerfile index 5f2c281d4..cc6889edd 100644 --- a/tools/wix-docker/Dockerfile +++ b/tools/wix-docker/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bullseye-slim +FROM debian:bullseye-slim@sha256:cc4cc29b4ba8182fca324920f64ff68a3b24acefd4c7ba8a2e5bd4e81ac3bacf RUN true \ && dpkg --add-architecture i386 \