1+ # =============================================================================
2+ # Golden Images Standard
3+ # =============================================================================
4+ # Managed by: Infrastructure / DevOps Team
5+ # Source: https://github.com/tinyfish-io/github-control
6+ # Linear ticket: https://linear.app/tinyfish/issue/INF-1097
7+ #
8+ # This file is automatically replicated to ALL active repositories.
9+ # DO NOT edit this file locally — changes will be overwritten on next
10+ # Terraform apply. To propose updates, open a PR in github-control.
11+ #
12+ # -----------------------------------------------------------------------------
13+ # TIER DEFINITIONS
14+ # -----------------------------------------------------------------------------
15+ # recommended:
16+ # DevOps-owned. The Infrastructure team handles OS-level CVE monitoring,
17+ # Vanta ticket triage, quarterly SHA digest updates, and patch coordination.
18+ #
19+ # acceptable:
20+ # Developer-owned. Teams using this image are fully responsible for:
21+ # - Monitoring OS-level CVEs flagged by AWS Inspector / Vanta
22+ # - Filing and remediating their own security tickets
23+ # - Upgrading to the recommended tier before the image's EOL date
24+ # Using an acceptable-tier image does NOT exempt a team from Vanta SLAs.
25+ #
26+ # -----------------------------------------------------------------------------
27+ # USAGE (Dockerfile)
28+ # -----------------------------------------------------------------------------
29+ # Always reference the full URI with the SHA256 digest for build immutability.
30+ # Floating tags (:latest, :22, :3.12) are PROHIBITED in production Dockerfiles.
31+ #
32+ # CORRECT:
33+ # FROM node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb
34+ #
35+ # WRONG:
36+ # FROM node:24-bookworm-slim
37+ # FROM node:latest
38+ # FROM node:22
39+ #
40+ # =============================================================================
41+
42+ golden_images :
43+
44+ # ---------------------------------------------------------------------------
45+ # Node.js
46+ # ---------------------------------------------------------------------------
47+ nodejs :
48+
49+ - tier : recommended
50+ alias : node-24-lts
51+ image : node:24-bookworm-slim
52+ uri : node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb
53+ runtime_version : " 24.14.0"
54+ base_os : Debian 12 (Bookworm) slim
55+ digest_updated : " 2026-02-27"
56+ eol : " 2029-04-30"
57+ description : >
58+ Node.js 24 LTS on Debian 12 Bookworm slim. DevOps-managed.
59+ Slim variant reduces attack surface vs the full image while retaining
60+ native-module compatibility (unlike Alpine/musl). Receives timely Debian
61+ security patches for OS-level packages.
62+ use_case : " All Node.js services, CI builds, tooling containers."
63+
64+ - tier : acceptable
65+ alias : node-22-lts
66+ image : node:22-bookworm-slim
67+ uri : node:22-bookworm-slim@sha256:dd9d21971ec4395903fa6143c2b9267d048ae01ca6d3ea96f16cb30df6187d94
68+ runtime_version : " 22.22.0"
69+ base_os : Debian 12 (Bookworm) slim
70+ digest_updated : " 2026-02-27"
71+ eol : " 2027-04-30"
72+ description : >
73+ Node.js 22 LTS on Debian 12 Bookworm slim. DEVELOPER-managed.
74+ Teams using this image are responsible for OS-level CVE monitoring,
75+ patching, and Vanta ticket remediation independently.
76+ use_case : " Teams not yet migrated to Node 24 LTS."
77+ caveats :
78+ - " Migrate to node-24-lts (recommended) before April 2027 EOL."
79+ - " Developer team owns OS-level CVE patching and all Vanta SLA obligations."
80+
81+ # ---------------------------------------------------------------------------
82+ # Python
83+ # ---------------------------------------------------------------------------
84+ python :
85+
86+ - tier : recommended
87+ alias : python-313
88+ image : python:3.13-slim-bookworm
89+ uri : python:3.13-slim-bookworm@sha256:1245b6c39d0b8e49e911c7d07b60cd9ed26016b0e439b6903d5e08730e417553
90+ runtime_version : " 3.13.x"
91+ base_os : Debian 12 (Bookworm) slim
92+ digest_updated : " 2026-02-27"
93+ eol : " 2029-10-31"
94+ description : >
95+ Python 3.13 on Debian 12 Bookworm slim. DevOps-managed.
96+ Slim variant minimizes pre-installed packages, reducing the OS-level
97+ attack surface while remaining fully pip-compatible.
98+ use_case : " All Python services, ML workloads, data pipelines, Lambda containers."
99+
100+ - tier : acceptable
101+ alias : python-312
102+ image : python:3.12-slim-bookworm
103+ uri : python:3.12-slim-bookworm@sha256:593bd06efe90efa80dc4eee3948be7c0fde4134606dd40d8dd8dbcade98e669c
104+ runtime_version : " 3.12.12"
105+ base_os : Debian 12 (Bookworm) slim
106+ digest_updated : " 2026-02-27"
107+ eol : " 2028-10-31"
108+ description : >
109+ Python 3.12 on Debian 12 Bookworm slim. DEVELOPER-managed.
110+ Teams using this image are responsible for OS-level CVE monitoring,
111+ patching, and Vanta ticket remediation independently.
112+ use_case : " Teams not yet migrated to Python 3.13."
113+ caveats :
114+ - " Plan migration to python-313 (recommended) before October 2028 EOL."
115+ - " Developer team owns OS-level CVE patching and all Vanta SLA obligations."
116+
117+ # ---------------------------------------------------------------------------
118+ # Microsoft Playwright (AI web automation)
119+ # ---------------------------------------------------------------------------
120+ playwright :
121+
122+ - tier : recommended
123+ alias : playwright-latest
124+ image : mcr.microsoft.com/playwright:v1.58.2-noble
125+ uri : mcr.microsoft.com/playwright:v1.58.2-noble@sha256:65cefd09a5e943921ecd3a6e5414c603db2eb161e9eb48f2e2ccc63486dc7dc0
126+ runtime_version : " 1.58.2"
127+ base_os : Ubuntu 24.04 LTS (Noble Numbat)
128+ digest_updated : " 2026-02-27"
129+ description : >
130+ Microsoft Playwright v1.58.2 on Ubuntu 24.04 LTS (Noble). DevOps-managed.
131+ Pre-baked with all browser binaries (Chromium, Firefox, WebKit) and their
132+ system-level dependencies. Playwright is the backbone of our AI web
133+ automation workflows, enabling agents to interact with the web at scale.
134+ use_case : " AI web automation workflows, browser-based AI agents."
135+
136+ - tier : acceptable
137+ alias : playwright-v154
138+ image : mcr.microsoft.com/playwright:v1.54.0-noble
139+ uri : mcr.microsoft.com/playwright:v1.54.0-noble@sha256:96b27b29220f99ef3205c4aa3a8b8e1b5beb6c3ebb2e9acbdef80cb944a03012
140+ runtime_version : " 1.54.0"
141+ base_os : Ubuntu 24.04 LTS (Noble Numbat)
142+ digest_updated : " 2026-02-27"
143+ description : >
144+ Microsoft Playwright v1.54.0 on Ubuntu 24.04 LTS (Noble). DEVELOPER-managed.
145+ Teams using this version are responsible for monitoring CVEs and upgrading
146+ to the recommended tier.
147+ use_case : " AI web automation workflows pinned to Playwright 1.54 pending migration."
148+ caveats :
149+ - " Upgrade to playwright-latest (recommended) once workflow compatibility with v1.58 is confirmed."
150+ - " Developer team owns OS-level CVE patching and all Vanta SLA obligations."
151+ - " 4 minor versions behind recommended; bundled browser binaries may carry known CVEs."
152+
153+ # =============================================================================
154+ # Metadata
155+ # =============================================================================
156+ metadata :
157+ last_reviewed : " 2026-02-27"
158+ next_review_due : " 2026-05-27"
159+ review_cadence : quarterly
160+ maintained_by : " Infrastructure / DevOps Team"
161+ linear_ticket : https://linear.app/tinyfish/issue/INF-1097
162+ policy : >
163+ All Dockerfiles MUST reference images from this file using the full URI
164+ with SHA256 digest (@sha256:...) for build immutability.
165+ Floating tags (e.g. :latest, :22, :3.12) are PROHIBITED in production
166+ Dockerfiles. This file is updated quarterly or upon critical CVE disclosure.
167+ To propose changes, open a PR in github-control referencing INF-1097.
![tinyfish-github-terraform[bot]](https://avatars.githubusercontent.com/in/1021744?v=4&size=40){kind=avatar}
0 commit comments