gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(deploy/libest): pin debian:bookworm-slim FROM lines to digest (H-001)

Browse Source 
CI's 'Forbidden bare FROM regression guard (H-001)' rejects any
Dockerfile FROM line missing an @sha256:... digest pin. The Phase 10
libest sidecar Dockerfile shipped two bare FROMs at lines 25 and 55,
both targeting debian:bookworm-slim. The repo's Bundle A / Audit
H-001 (CWE-829) policy has been in force on every other Dockerfile
since the bundle landed; the new sidecar simply needs to follow the
same convention.

Pinned both lines to:
  debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252

That's the OCI image-index digest from
https://hub.docker.com/v2/repositories/library/debian/tags/bookworm-slim
fetched 2026-04-29 (last_pushed 2026-04-22). Multi-arch index, so
Docker resolves the per-arch manifest correctly on the CI runner.

Added a comment at the top of the FROM block documenting the bump
procedure (curl + jq one-liner against the Docker Hub registry API),
matching the convention from the top-level Dockerfile.

Verified locally with the exact CI guard regex
(grep -HnE '^FROM\s+[^@#]+(\s+AS\s+\S+)?\s*$' across every
Dockerfile* under the repo, excluding web/node_modules) — passes.
Also verified the M-012 USER-drop guard still passes for the libest
sidecar (terminal USER estuser, set on line 73).
This commit is contained in:
shankar0123
2026-04-30 02:03:07 +00:00
parent 5834e5b866
commit e9011caac8
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/test/libest/Dockerfile
+9 -2
View File
@@ -22,7 +22,13 @@
ARG LIBEST_REF=v3.2.0-2
FROM debian:bookworm-slim AS builder
# Bundle A / Audit H-001 (CWE-829): both FROM lines below pin
# debian:bookworm-slim to the immutable OCI image-index digest pulled
# 2026-04-29 (last_pushed 2026-04-22). To bump:
# curl -sSL https://hub.docker.com/v2/repositories/library/debian/tags/bookworm-slim \
# | jq -r .digest
# Replace the @sha256:... portion on BOTH FROM lines.
FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS builder
ARG LIBEST_REF
@@ -52,7 +58,8 @@ RUN git clone --depth 1 --branch ${LIBEST_REF} https://github.com/cisco/libest.g
# Runtime stage. Carries only what we need to docker-exec estclient
# from the integration test: the compiled binary, the openssl CLI for
# CSR generation + cert parsing, and bash for the test's exec scripts.
FROM debian:bookworm-slim
# Pinned to the same digest as the builder above (Bundle A / H-001).
FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
RUN apt-get update && apt-get install --no-install-recommends -y \
bash \