fix: remediate critical and high CVEs in codecov-slack-app image#158
Merged
Conversation
Rebuild berglas from source on Go 1.26 with patched x/crypto and x/net, upgrade Alpine OS packages, bump Django/urllib3/PyJWT floors, and add CI workflow to build and push PR images to AR for vulnerability verification. Co-authored-by: Cursor <cursoragent@cursor.com>
thomasrockhu-codecov
temporarily deployed
to
staging
July 15, 2026 05:52 — with
GitHub Actions
Inactive
All five residual AR findings on the CI image were fixable pip 25.0.1 CVEs; bump pip in both Dockerfile.requirements stages. Co-authored-by: Cursor <cursoragent@cursor.com>
thomasrockhu-codecov
temporarily deployed
to
staging
July 15, 2026 06:02 — with
GitHub Actions
Inactive
AR still flagged pip 25.0.1 from the ensurepip bundled wheel left in the Python base image even after upgrading runtime pip to 26.1.2. Co-authored-by: Cursor <cursoragent@cursor.com>
drazisil-codecov
approved these changes
Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
golang:1.26-bookwormwith patchedgolang.org/x/crypto@v0.54.0andgolang.org/x/net@v0.57.0instead of the stale prebuilt berglas image (clears 7 critical SSH CVEs and Go stdlib findings in AR).Dockerfile.requirementsand bump Python dependency floors from the security canvas scan: Django 5.1.15, urllib3 2.7.0, PyJWT 2.13.0.ci-release-<sha>tag) so vulnerability scans can run against the CI-built digest.Context
codecov/codecov-slack-appis the highest-risk production image in the security canvas (14 critical + 58 high CVEs). Local Docker Scout scan of the CI-equivalent build drops this to 0 critical / 3 high — all three are unfixed Alpinesqlite-libsCVEs bundled with the Python base image (no upstream fix on Alpine 3.21).Test plan
us-docker.pkg.dev/.../codecov-slack-app:ci-release-<sha>codecov/codecov-slack-appMade with Cursor