From 15da1f4f54013076a88d50493a284fe1f4f7b5e3 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 30 Apr 2026 02:03:07 +0000 Subject: [PATCH] fix(deploy/libest): pin debian:bookworm-slim FROM lines to digest (H-001) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI's 'Forbidden bare FROM regression guard (H-001)' rejects any Dockerfile FROM line missing an @sha256:... digest pin. The Phase 10 libest sidecar Dockerfile shipped two bare FROMs at lines 25 and 55, both targeting debian:bookworm-slim. The repo's Bundle A / Audit H-001 (CWE-829) policy has been in force on every other Dockerfile since the bundle landed; the new sidecar simply needs to follow the same convention. Pinned both lines to: debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 That's the OCI image-index digest from https://hub.docker.com/v2/repositories/library/debian/tags/bookworm-slim fetched 2026-04-29 (last_pushed 2026-04-22). Multi-arch index, so Docker resolves the per-arch manifest correctly on the CI runner. Added a comment at the top of the FROM block documenting the bump procedure (curl + jq one-liner against the Docker Hub registry API), matching the convention from the top-level Dockerfile. Verified locally with the exact CI guard regex (grep -HnE '^FROM\s+[^@#]+(\s+AS\s+\S+)?\s*$' across every Dockerfile* under the repo, excluding web/node_modules) — passes. Also verified the M-012 USER-drop guard still passes for the libest sidecar (terminal USER estuser, set on line 73). --- deploy/test/libest/Dockerfile | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/deploy/test/libest/Dockerfile b/deploy/test/libest/Dockerfile index 18c3feb..4d90a7e 100644 --- a/deploy/test/libest/Dockerfile +++ b/deploy/test/libest/Dockerfile @@ -22,7 +22,13 @@ ARG LIBEST_REF=v3.2.0-2 -FROM debian:bookworm-slim AS builder +# Bundle A / Audit H-001 (CWE-829): both FROM lines below pin +# debian:bookworm-slim to the immutable OCI image-index digest pulled +# 2026-04-29 (last_pushed 2026-04-22). To bump: +# curl -sSL https://hub.docker.com/v2/repositories/library/debian/tags/bookworm-slim \ +# | jq -r .digest +# Replace the @sha256:... portion on BOTH FROM lines. +FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS builder ARG LIBEST_REF @@ -52,7 +58,8 @@ RUN git clone --depth 1 --branch ${LIBEST_REF} https://github.com/cisco/libest.g # Runtime stage. Carries only what we need to docker-exec estclient # from the integration test: the compiled binary, the openssl CLI for # CSR generation + cert parsing, and bash for the test's exec scripts. -FROM debian:bookworm-slim +# Pinned to the same digest as the builder above (Bundle A / H-001). +FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 RUN apt-get update && apt-get install --no-install-recommends -y \ bash \