chore(supply-chain): pin govulncheck + base images by digest/version#6
Merged
Conversation
Three @latest-shaped references were exposed to registry-side substitution risk: 1. govulncheck installed via `go install ...@latest` in ci.yml, release.yml, and Makefile. Pin to v1.3.0 — the version goreleaser was already using and the most recent tag at time of writing. 2. golang:1.26.4-alpine3.22 builder pulled by tag in Dockerfile. Now pinned by digest sha256:727cfc3c40be... so a compromised tag push to docker.io can't substitute a backdoored toolchain. 3. gcr.io/distroless/static-debian12:nonroot pulled by tag in Dockerfile + Dockerfile.release. Now pinned by digest sha256:d093aa3e30db... in both files. Tag stays on the FROM line for grepability; the digest is what drives the pull. Both Dockerfiles must move together when the distroless digest is rotated — noted inline. Verified by rebuilding Dockerfile end-to-end and running `themis --version` from the resulting image: still reports "themis dev (commit none, built unknown, go1.26.4)" exactly as before the pin. Image size and entry point unchanged. Future work: goreleaser warns dockers/docker_manifests are being phased out in favour of dockers_v2. Tracked as a follow-up; the current pipeline still works on goreleaser v2.x.
3 tasks
tzone85
added a commit
that referenced
this pull request
Jun 11, 2026
Adds an Unreleased section to CHANGELOG.md covering the five sequential PRs that landed today: - #2 chore(security): bump x/sys for GO-2026-5024 - #3 fix(api): validate tenant id at route boundary - #4 fix(ingest): reject option-shaped --base-ref - #5 fix(mempalace): validate Kind/Tenant/Key against path traversal - #6 chore(supply-chain): pin govulncheck + base images by digest Updates README Status to mention the hardening pass and replaces a stale `§9` design-spec cross-reference with the section's actual name (per the project's doc-style rule against the § symbol). No code changes, no behaviour changes — pure documentation refresh for the audit story.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three
@latest-shaped references were exposed to registry-side substitution risk. All three now pinned:go install ...@latestinci.yml,release.yml, andMakefile→ pinned to@v1.3.0. A compromised tag push to the proxy can't silently degrade the scan.Dockerfile→ pinned by digestsha256:727cfc3c40be....Dockerfile+Dockerfile.release→ pinned by digestsha256:d093aa3e30db...in both files.Tag stays on the FROM line for grepability; the digest is what drives the pull. Both Dockerfiles must move together when the distroless digest is rotated — noted inline in
Dockerfile.release.Verification
docker build -t themis-build-test -f Dockerfile .— succeeds end-to-end on the pinned digestdocker run --rm themis-build-test --version— printsthemis dev (commit none, built unknown, go1.26.4)exactly as before the pingo test -race ./...— all packages greengolangci-lint run— 0 issuesFuture work
goreleaser checkwarnsdockers/docker_manifestsare being phased out in favour ofdockers_v2. Tracked as a follow-up; the current pipeline still works on goreleaser v2.x.