fix(agent): pin base image digest, always rebuild for security scan (#132)

scottschreckengaust · claude · web-flow · commit 98aff27d5e0a · 2026-05-19T17:29:44.000Z
* fix(agent): pin base image digest, always rebuild for security scan The pre-push security scan failed on stale Docker layer cache — fixable CVEs in the base image weren't picked up because the `security:image` task skipped rebuilds when the image already existed locally. - Pin `python:3.13-slim` to SHA256 digest for reproducible builds - Remove `docker image inspect || build` conditional — always rebuild ensures `apt-get upgrade` picks up latest Debian security patches - Add `.grype.yaml` with documented suppressions for won't-fix CVEs (glibc, curl, ncurses, libexpat, libtasn1, GnuTLS, GnuPG, CPython) The existing `apt-get upgrade --no-install-recommends` in the Dockerfile already handles fixable CVEs — the root cause was stale cache, not missing upgrade logic. Fixes #92 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(agent): remove dead .grype.yaml config The file is not picked up by any scanner — grype auto-discovers from CWD (repo root), not agent/, and the image scan uses trivy with --ignore-unfixed which already handles won't-fix CVEs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: bgagent <345885+scottschreckengaust@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/agent/Dockerfile b/agent/Dockerfile
@@ -8,7 +8,7 @@ FROM --platform=$TARGETPLATFORM golang:1.26.3-bookworm AS gh-builder
 ARG GH_VERSION
 RUN GOPROXY=direct GOBIN=/out go install "github.com/cli/cli/v2/cmd/gh@v${GH_VERSION}"
 
-FROM --platform=$TARGETPLATFORM python:3.13-slim
+FROM --platform=$TARGETPLATFORM python:3.13-slim@sha256:dc1546eefcbe8caaa1f004f16ab76b204b5e1dbd58ff81b899f21cd40541232f
 
 # Install mise (polyglot dev tool manager)
 COPY --from=mise /usr/local/bin/mise /usr/local/bin/mise
diff --git a/agent/mise.toml b/agent/mise.toml
@@ -57,7 +57,7 @@ description = "Scan container image with trivy"
 # the .. context, the build fails because COPY agent/... can't find
 # agent/ inside the agent/ directory.
 run = [
-  "docker image inspect bgagent-local:latest >/dev/null 2>&1 || (ARCH=\"$(uname -m)\"; PLATFORM=\"linux/arm64\"; if [ \"$ARCH\" = \"x86_64\" ]; then PLATFORM=\"linux/amd64\"; fi; docker build --build-arg TARGETPLATFORM=\"$PLATFORM\" --build-arg CACHE_BUST=\"$(date +%s)\" -f Dockerfile -t bgagent-local:latest ..)",
+  "ARCH=\"$(uname -m)\"; PLATFORM=\"linux/arm64\"; if [ \"$ARCH\" = \"x86_64\" ]; then PLATFORM=\"linux/amd64\"; fi; docker build --build-arg TARGETPLATFORM=\"$PLATFORM\" --build-arg CACHE_BUST=\"$(date +%s)\" -f Dockerfile -t bgagent-local:latest ..",
   "trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --severity HIGH,CRITICAL --exit-code 1 bgagent-local:latest",
 ]
 

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ description = "Scan container image with trivy"`
`57`	`57`	`# the .. context, the build fails because COPY agent/... can't find`
`58`	`58`	`# agent/ inside the agent/ directory.`
`59`	`59`	`run = [`
`60`		`- "docker image inspect bgagent-local:latest >/dev/null 2>&1 \|\| (ARCH=\"$(uname -m)\"; PLATFORM=\"linux/arm64\"; if [ \"$ARCH\" = \"x86_64\" ]; then PLATFORM=\"linux/amd64\"; fi; docker build --build-arg TARGETPLATFORM=\"$PLATFORM\" --build-arg CACHE_BUST=\"$(date +%s)\" -f Dockerfile -t bgagent-local:latest ..)",`
	`60`	`+ "ARCH=\"$(uname -m)\"; PLATFORM=\"linux/arm64\"; if [ \"$ARCH\" = \"x86_64\" ]; then PLATFORM=\"linux/amd64\"; fi; docker build --build-arg TARGETPLATFORM=\"$PLATFORM\" --build-arg CACHE_BUST=\"$(date +%s)\" -f Dockerfile -t bgagent-local:latest ..",`
`61`	`61`	`"trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --severity HIGH,CRITICAL --exit-code 1 bgagent-local:latest",`
`62`	`62`	`]`
`63`	`63`