Skip to content

fix: remediate critical and high CVEs in codecov-slack-app image#158

Merged
thomasrockhu-codecov merged 3 commits into
masterfrom
th/codecov-slack-app-cve
Jul 15, 2026
Merged

fix: remediate critical and high CVEs in codecov-slack-app image#158
thomasrockhu-codecov merged 3 commits into
masterfrom
th/codecov-slack-app-cve

Conversation

@thomasrockhu-codecov

Copy link
Copy Markdown
Contributor

Summary

  • Rebuild berglas from source on golang:1.26-bookworm with patched golang.org/x/crypto@v0.54.0 and golang.org/x/net@v0.57.0 instead of the stale prebuilt berglas image (clears 7 critical SSH CVEs and Go stdlib findings in AR).
  • Upgrade Alpine OS packages in Dockerfile.requirements and bump Python dependency floors from the security canvas scan: Django 5.1.15, urllib3 2.7.0, PyJWT 2.13.0.
  • Add a CI workflow that builds and pushes the image to Artifact Registry on PRs (ci-release-<sha> tag) so vulnerability scans can run against the CI-built digest.

Context

codecov/codecov-slack-app is the highest-risk production image in the security canvas (14 critical + 58 high CVEs). Local Docker Scout scan of the CI-equivalent build drops this to 0 critical / 3 high — all three are unfixed Alpine sqlite-libs CVEs bundled with the Python base image (no upstream fix on Alpine 3.21).

Test plan

  • CI workflow completes build + push to us-docker.pkg.dev/.../codecov-slack-app:ci-release-<sha>
  • Re-run security-scan pipeline and confirm AR crit+high counts drop for codecov/codecov-slack-app
  • Merge to staging and verify staging deploy

Made with Cursor

Rebuild berglas from source on Go 1.26 with patched x/crypto and x/net,
upgrade Alpine OS packages, bump Django/urllib3/PyJWT floors, and add CI
workflow to build and push PR images to AR for vulnerability verification.

Co-authored-by: Cursor <cursoragent@cursor.com>
All five residual AR findings on the CI image were fixable pip 25.0.1
CVEs; bump pip in both Dockerfile.requirements stages.

Co-authored-by: Cursor <cursoragent@cursor.com>
AR still flagged pip 25.0.1 from the ensurepip bundled wheel left in
the Python base image even after upgrading runtime pip to 26.1.2.

Co-authored-by: Cursor <cursoragent@cursor.com>
@thomasrockhu-codecov
thomasrockhu-codecov merged commit 735782a into master Jul 15, 2026
4 checks passed
@thomasrockhu-codecov
thomasrockhu-codecov deleted the th/codecov-slack-app-cve branch July 15, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants