Skip to content

chore(supply-chain): pin govulncheck + base images by digest/version#6

Merged
tzone85 merged 1 commit into
mainfrom
harden/pin-supply-chain-versions
Jun 11, 2026
Merged

chore(supply-chain): pin govulncheck + base images by digest/version#6
tzone85 merged 1 commit into
mainfrom
harden/pin-supply-chain-versions

Conversation

@tzone85

@tzone85 tzone85 commented Jun 11, 2026

Copy link
Copy Markdown
Owner

Summary

Three @latest-shaped references were exposed to registry-side substitution risk. All three now pinned:

  1. govulncheckgo install ...@latest in ci.yml, release.yml, and Makefile → pinned to @v1.3.0. A compromised tag push to the proxy can't silently degrade the scan.
  2. golang:1.26.4-alpine3.22 builder in Dockerfile → pinned by digest sha256:727cfc3c40be....
  3. gcr.io/distroless/static-debian12:nonroot in Dockerfile + Dockerfile.release → pinned by digest sha256:d093aa3e30db... in both files.

Tag stays on the FROM line for grepability; the digest is what drives the pull. Both Dockerfiles must move together when the distroless digest is rotated — noted inline in Dockerfile.release.

Verification

  • docker build -t themis-build-test -f Dockerfile . — succeeds end-to-end on the pinned digest
  • docker run --rm themis-build-test --version — prints themis dev (commit none, built unknown, go1.26.4) exactly as before the pin
  • go test -race ./... — all packages green
  • golangci-lint run — 0 issues

Future work

goreleaser check warns dockers / docker_manifests are being phased out in favour of dockers_v2. Tracked as a follow-up; the current pipeline still works on goreleaser v2.x.

Three @latest-shaped references were exposed to registry-side
substitution risk:

1. govulncheck installed via `go install ...@latest` in ci.yml,
   release.yml, and Makefile. Pin to v1.3.0 — the version goreleaser
   was already using and the most recent tag at time of writing.
2. golang:1.26.4-alpine3.22 builder pulled by tag in Dockerfile.
   Now pinned by digest sha256:727cfc3c40be... so a compromised tag
   push to docker.io can't substitute a backdoored toolchain.
3. gcr.io/distroless/static-debian12:nonroot pulled by tag in
   Dockerfile + Dockerfile.release. Now pinned by digest
   sha256:d093aa3e30db... in both files. Tag stays on the FROM line
   for grepability; the digest is what drives the pull.

Both Dockerfiles must move together when the distroless digest is
rotated — noted inline.

Verified by rebuilding Dockerfile end-to-end and running
`themis --version` from the resulting image: still reports
"themis dev (commit none, built unknown, go1.26.4)" exactly as
before the pin. Image size and entry point unchanged.

Future work: goreleaser warns dockers/docker_manifests are being
phased out in favour of dockers_v2. Tracked as a follow-up; the
current pipeline still works on goreleaser v2.x.
@tzone85 tzone85 merged commit 558d797 into main Jun 11, 2026
2 checks passed
@tzone85 tzone85 deleted the harden/pin-supply-chain-versions branch June 11, 2026 09:20
tzone85 added a commit that referenced this pull request Jun 11, 2026
Adds an Unreleased section to CHANGELOG.md covering the five
sequential PRs that landed today:
- #2 chore(security): bump x/sys for GO-2026-5024
- #3 fix(api): validate tenant id at route boundary
- #4 fix(ingest): reject option-shaped --base-ref
- #5 fix(mempalace): validate Kind/Tenant/Key against path traversal
- #6 chore(supply-chain): pin govulncheck + base images by digest

Updates README Status to mention the hardening pass and replaces a
stale `§9` design-spec cross-reference with the section's actual
name (per the project's doc-style rule against the § symbol).

No code changes, no behaviour changes — pure documentation refresh
for the audit story.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant