Reported as H-05 in the PR #117 security assessment.
What
The model-downloader init container is pinned to a mutable tag:
// operator/internal/controller/reconcilers/storage.go:16
hfInitContainerImage = "ghcr.io/nebari-dev/nebari-llm-serving-pack/model-downloader:latest"
This init container runs in the serving pod with access to the model storage volume and the credentials used to fetch the model (for example the HuggingFace token). With :latest, the image that actually runs is whatever the registry serves at pull time, so any push to that tag runs with those credentials on every model start, with nothing pinned to detect or prevent it.
Why it matters
A mutable tag gives no supply-chain guarantee, and this image has credential access. Digest pinning is the standard mitigation.
Fix
- Pin to an immutable digest (
...@sha256:...), ideally surfaced as a chart value so it is upgraded deliberately.
- Consider scoping the credentials the init container receives to only what the download needs.
Reported as H-05 in the PR #117 security assessment.
What
The model-downloader init container is pinned to a mutable tag:
This init container runs in the serving pod with access to the model storage volume and the credentials used to fetch the model (for example the HuggingFace token). With
:latest, the image that actually runs is whatever the registry serves at pull time, so any push to that tag runs with those credentials on every model start, with nothing pinned to detect or prevent it.Why it matters
A mutable tag gives no supply-chain guarantee, and this image has credential access. Digest pinning is the standard mitigation.
Fix
...@sha256:...), ideally surfaced as a chart value so it is upgraded deliberately.