Skip to content

security: digest-pin Dockerfile base images#156

Merged
cx-artur-ribeiro merged 2 commits intomasterfrom
AST-151131
Apr 23, 2026
Merged

security: digest-pin Dockerfile base images#156
cx-artur-ribeiro merged 2 commits intomasterfrom
AST-151131

Conversation

@cx-artur-ribeiro
Copy link
Copy Markdown
Collaborator

@cx-artur-ribeiro cx-artur-ribeiro commented Apr 23, 2026

Pin both FROM images by SHA256 digest so a repushed/poisoned tag on the upstream registry cannot flow into the Action build. SHA-pinning the GitHub Action alone is insufficient because the Docker image tag remains mutable on Docker Hub.

I've downgraded kics to version 2.1.19 for now:

  • checkmarx/kics: v2.1.20 -> v2.1.19 -> sha256
  • cgr.dev/chainguard/wolfi-base:latest -> sha256

The tag is kept alongside the digest as a human-readable intent marker;
Docker resolves the pull by digest, so a mismatched tag republish fails closed instead of silently substituting content.

Thanks to @bsgrigorov and everyone involved for bringing this issue to our attention.

@cx-artur-ribeiro cx-artur-ribeiro self-assigned this Apr 23, 2026
@cx-artur-ribeiro cx-artur-ribeiro requested a review from a team as a code owner April 23, 2026 08:17
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 23, 2026

kics-logo

KICS version: v2.1.19

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 1
MEDIUM MEDIUM 3
LOW LOW 1
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 5
Metric Values
Files scanned placeholder 2
Files parsed placeholder 2
Files failed to scan placeholder 0
Total executed queries placeholder 1099
Queries failed to execute placeholder 0
Execution time placeholder 20

Queries Results

Query Name Query Id Severity Platform Cwe Risk Score Category Experimental Description File Name Line Issue Type Search Key Expected Value Actual Value Resource Type Resource Name Remediation Remediation Type
Passwords And Secrets - Generic Password 487f4be7-3fd9-4506-a07a-eae252180c08 HIGH Common 798 7.8 Secret Management false Query to find passwords and secrets in infrastructure code. test/samples/positive1.tf 12 RedundantAttribute Hardcoded secret key should not appear in source Hardcoded secret key appears in source
AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b MEDIUM Terraform 732 5.9 Insecure Configurations false The Active Directory Administrator is not configured for a SQL server test/samples/positive1.tf 6 MissingAttribute azurerm_sql_server[positive2] A 'azurerm_sql_active_directory_administrator' should be defined for 'azurerm_sql_server[positive2]' A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]' azurerm_sql_server mysqlserver1
Admin User Enabled For Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51 MEDIUM Terraform 732 5.4 Access Control false Admin user is enabled for Container Registry test/samples/positive2.tf 11 IncorrectValue azurerm_container_registry[positive2].admin_enabled 'admin_enabled' equal 'false' 'admin_enabled' equal 'true' azurerm_container_registry containerRegistry1 {"after":"false","before":"true"} replacement
SQL Server Auditing Disabled f7e296b0-6660-4bc5-8f87-22ac4a815edf MEDIUM Terraform 778 6.4 Observability false Make sure that for SQL Servers, 'Auditing' is set to 'On' test/samples/positive1.tf 6 MissingAttribute azurerm_sql_server[positive2] 'azurerm_sql_server.positive2.extended_auditing_policy' should exist 'azurerm_sql_server.positive2.extended_auditing_policy' does not exist azurerm_sql_server mysqlserver1
SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450 LOW Terraform 522 2.9 Best Practices false Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict test/samples/positive1.tf 18 IncorrectValue azurerm_sql_active_directory_administrator[positive3].login 'azurerm_sql_active_directory_administrator[positive3].login' should not be predictable' 'azurerm_sql_active_directory_administrator[positive3].login' is predictable azurerm_sql_active_directory_administrator positive3

@bsgrigorov bsgrigorov mentioned this pull request Apr 23, 2026
Open
@cx-artur-ribeiro cx-artur-ribeiro merged commit adb6756 into master Apr 23, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-miguel-dasilva cx-miguel-dasilva cx-miguel-dasilva approved these changes

Assignees

@cx-artur-ribeiro cx-artur-ribeiro

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cx-artur-ribeiro @cx-miguel-dasilva