Skip to content

security: pin Docker base images by digest + add .dockerignore (PER-8633)#50

Open
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8633-pin-base-image
Open

security: pin Docker base images by digest + add .dockerignore (PER-8633)#50
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8633-pin-base-image

Conversation

@Shivanshu-07

@Shivanshu-07 Shivanshu-07 commented Jun 12, 2026

Copy link
Copy Markdown

Summary

Breaks the High-severity supply-chain chain PER-8633 (C-001, combined CVSS 9.1): an unpinned BASE_IMAGE lets an attacker who can influence the pipeline substitute a malicious image, gaining build-time RCE; ADD . /app/src then copies the committed RSA test keys and full source into an attacker-controlled layer for exfiltration.

Changes

  • .buildkite/pipeline.yml — pinned all three test base images (ruby:2.6/2.7/3.0-alpine) to immutable @sha256 digests. The legitimate CI path can no longer have a mutable tag swapped for a tampered image. (Multi-version testing preserved.)
  • Makefile — digest-pinned the default BASE_IMAGE used by local make build.
  • .dockerignore (new) — keeps .git/, .github/, .buildkite/ and env files out of the build context.
    • spec/ is intentionally kept in the context: make test runs bundle exec rspec inside the container, so the SSL fixtures under spec/support/ssl/ must be present. Excluding it would silently break the test suite.

Out of scope (flagged on the ticket as follow-ups)

  • Commit Gemfile.lock + run bundle install --frozen for reproducible resolution (touches dependency resolution; better as its own change).
  • Rotate the committed test RSA keys (spec/support/ssl/*.key) and confirm trusted-ca.crt is not present in any prod/staging trust store — an ops action, not a code change.

Verification

  • pipeline.yml parses cleanly; digests resolved live from Docker Hub registry for each ruby:*-alpine tag.

Closes PER-8633 (chain entry pinned; data-exfil follow-ups flagged).

🤖 Generated with Claude Code

…633)

Breaks the C-001 supply-chain chain (unpinned BASE_IMAGE -> build-time RCE ->
exfiltration of committed RSA test keys and source tree).

- .buildkite/pipeline.yml: pin all three test base images (ruby 2.6/2.7/3.0
  -alpine) to immutable @sha256 digests, so the trusted CI path cannot have a
  mutable tag swapped for a malicious image.
- Makefile: digest-pin the default BASE_IMAGE for local `make build`.
- Add .dockerignore to keep .git/.github/.buildkite and env files out of the
  build context (spec/ is intentionally kept — `make test` runs rspec inside
  the container and needs the SSL fixtures there).

Follow-ups noted on the ticket (out of scope here, higher risk / ops): commit
Gemfile.lock + `bundle install --frozen`, and rotate the committed test RSA
keys / confirm trusted-ca.crt is absent from any prod/staging trust store.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Shivanshu-07 Shivanshu-07 requested a review from a team as a code owner June 12, 2026 17:11
@Shivanshu-07

Copy link
Copy Markdown
Author

Impact analysis + automated review

Impact — no existing functionality breaks. Docker base images are digest-pinned to the same Ruby patch versions (verified against Docker Hub), and the new .dockerignore keeps everything bundle install/rspec need (Gemfile, lib/, .gemspec, spec/ incl. SSL fixtures). The gem ships via gem build/gem push, fully decoupled from Docker — the image is test-harness only, so downstream consumers are unaffected.

/stack:pr-review: PASS — no Critical/High findings. Minor follow-ups (non-blocking, pre-existing): EOL Ruby versions and uncommitted Gemfile.lock are noted for a separate ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants