-
Notifications
You must be signed in to change notification settings - Fork 509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Use crane to add hash suggestion to unpinned Docker images #2037
✨ Use crane to add hash suggestion to unpinned Docker images #2037
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2037 +/- ##
==========================================
+ Coverage 42.03% 44.66% +2.63%
==========================================
Files 92 92
Lines 7554 7563 +9
==========================================
+ Hits 3175 3378 +203
+ Misses 4130 3930 -200
- Partials 249 255 +6 |
a9ea16d
to
1c99e0a
Compare
Integration tests success for |
@spencerschrock Thanks! Is this PR going to provide only SHA for Linux/amd64? Crane provides an option to https://github.com/google/go-containerregistry/blob/d187a716b559771a3768caa9c4dba796cb4650b3/pkg/v1/platform.go#L24 https://github.com/google/go-containerregistry/blob/d187a716b559771a3768caa9c4dba796cb4650b3/pkg/crane/digest.go#L20 type Platform struct {
Architecture string `json:"architecture"`
OS string `json:"os"`
OSVersion string `json:"os.version,omitempty"`
OSFeatures []string `json:"os.features,omitempty"`
Variant string `json:"variant,omitempty"`
Features []string `json:"features,omitempty"`
} We pass the OS and Architecture, which should provide us with other platforms if there are. This will not limit us Linux/amd64. For example, community is moving to arm64 https://cloud.google.com/blog/products/containers-kubernetes/gke-supports-new-arm-based-tau-t2a-vms On that note, we should have standard comment blocks for these remediations. We would need some standard prefix for our recommendations so that customers can grep for it. Thoughts? |
I was aware of the
+1 |
+1, the JSON should do that for free. /cc @raghavkaul |
1c99e0a
to
8dedd4c
Compare
And to address @naveensrinivasan 's earlier point:
|
8dedd4c
to
e7848c4
Compare
Integration tests success for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Maybe add a few unit tests for the formatting part.
…lder for more maintainable logic
e7848c4
to
d2df929
Compare
Integration tests success for |
* Use crane to add hash suggestion to unpinned Docker images * Add nil check before dereferencing name for image digest * Reformat changes to comply with linter * Add basic remediation for dockerfile pinning * Deduplicate remediation code * Remove reference to linux/amd64, as crane digest should be universal * add remediation info to scorecard output. switch to using strings.Builder for more maintainable logic
What kind of change does this PR introduce?
This PR attempts to address an enhancement in #967
What is the current behavior?
A warning is generated when a Docker dependency is not pinned.
What is the new behavior (if this is a feature change)?**
A hash is now provided, as determined by
crane
Which issue(s) this PR fixes
Fixes #967
Special notes for your reviewer
NONE
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)