diff --git a/Dockerfile b/Dockerfile index cc48932cdbaa..3706f66a25e5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine +FROM alpine:3.17.2@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 LABEL maintainer="Fleet Developers" RUN apk --update add ca-certificates diff --git a/Dockerfile-desktop-linux b/Dockerfile-desktop-linux index 8ae5e49548ab..b574cac63367 100644 --- a/Dockerfile-desktop-linux +++ b/Dockerfile-desktop-linux @@ -1,4 +1,4 @@ -FROM --platform=linux/amd64 golang:1.20.1-bullseye +FROM --platform=linux/amd64 golang:1.20.1-bullseye@sha256:745aa72cefb6f9527c1588590982c0bdf85a1be5d611dda849e54b5dbf551506 LABEL maintainer="Fleet Developers" RUN apt-get update && apt-get install -y \ diff --git a/Dockerfile.osquery-perf b/Dockerfile.osquery-perf index 5ab78774a903..fa92bf802e11 100644 --- a/Dockerfile.osquery-perf +++ b/Dockerfile.osquery-perf @@ -1,4 +1,4 @@ -FROM golang:1.20.1-alpine +FROM golang:1.20.1-alpine@sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548 ARG ENROLL_SECRET ARG HOST_COUNT diff --git a/changes/pin-dockerfiles b/changes/pin-dockerfiles new file mode 100644 index 000000000000..378e559511fe --- /dev/null +++ b/changes/pin-dockerfiles @@ -0,0 +1 @@ +- Pin Docker image hashes in Dockerfiles for increased security. diff --git a/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile b/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile index 8483908fc6f1..edd6ec542e7d 100644 --- a/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile +++ b/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine AS builder +FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder RUN apk update && apk add --no-cache git curl openssl unzip WORKDIR /build COPY . . diff --git a/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile b/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile index b7e0913b6255..ac1ca4c98ba5 100644 --- a/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile +++ b/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine AS builder +FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder WORKDIR /build COPY . . RUN go get -d -v diff --git a/infrastructure/sandbox/Monitoring/lambda/Dockerfile b/infrastructure/sandbox/Monitoring/lambda/Dockerfile index ad9e4cba114e..99e0191a656a 100644 --- a/infrastructure/sandbox/Monitoring/lambda/Dockerfile +++ b/infrastructure/sandbox/Monitoring/lambda/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19.4-alpine AS builder +FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder WORKDIR /build COPY . . RUN go get -d -v diff --git a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile index 9edd16cb0b9c..73c13897e8cd 100644 --- a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile +++ b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:latest AS builder +FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin @@ -6,7 +6,7 @@ RUN cargo install --version 0.16.0 apple-codesign \ && curl -sSf $transporter_url -o transporter_install.sh \ && sh transporter_install.sh --target transporter --accept --noexec -FROM golang:1.19.4-bullseye +FROM golang:1.19.4-bullseye@sha256:9d235ae41bff699b44255bf912e77acac5046b06e61b018561239a35d9bd2ebb RUN apt-get update \ && dpkg --add-architecture i386 \ diff --git a/tools/bomutils-docker/Dockerfile b/tools/bomutils-docker/Dockerfile index a692c7a229b5..2027428bec8d 100644 --- a/tools/bomutils-docker/Dockerfile +++ b/tools/bomutils-docker/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:stable-slim AS builder +FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 AS builder RUN apt-get update RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl @@ -19,7 +19,7 @@ COPY patch.txt . RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install -FROM debian:stable-slim +FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 RUN apt-get update && apt-get install -y --no-install-recommends libxml2 && rm -rf /var/lib/apt/lists/* COPY --from=builder /usr/bin /usr/bin/ diff --git a/tools/fleetctl-docker/Dockerfile b/tools/fleetctl-docker/Dockerfile index 4da4cb683439..10cbdf70fc5b 100644 --- a/tools/fleetctl-docker/Dockerfile +++ b/tools/fleetctl-docker/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:latest AS builder +FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin @@ -6,7 +6,7 @@ RUN cargo install --version 0.16.0 apple-codesign \ && curl -sSf $transporter_url -o transporter_install.sh \ && sh transporter_install.sh --target transporter --accept --noexec -FROM debian:stable-slim +FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 ARG binpath=build/binary-bundle/linux/fleetctl diff --git a/tools/wix-docker/Dockerfile b/tools/wix-docker/Dockerfile index 5f2c281d468d..cc6889eddcbe 100644 --- a/tools/wix-docker/Dockerfile +++ b/tools/wix-docker/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bullseye-slim +FROM debian:bullseye-slim@sha256:cc4cc29b4ba8182fca324920f64ff68a3b24acefd4c7ba8a2e5bd4e81ac3bacf RUN true \ && dpkg --add-architecture i386 \