Open
Conversation
Signed-off-by: Gagan H R <hrgagan4@gmail.com>
Signed-off-by: Gagan H R <hrgagan4@gmail.com>
… un-platformed SBOMs (guacsec#2837) Signed-off-by: Gagan H R <hrgagan4@gmail.com>
…uacsec#2836) Signed-off-by: Gagan H R <hrgagan4@gmail.com>
Signed-off-by: Gagan H R <hrgagan4@gmail.com>
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8.0.0 to 9.0.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@4afd733...0a35821) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.8 to 0.20.9. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@aa0e114...8e94d75) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.20.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…uacsec#2849) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.2 to 5.16.5. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.2...v5.16.5) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.16.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps arigaio/atlas from `ca1b554` to `11aed4d`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.42.0 to 0.45.0. - [Commits](golang/crypto@v0.42.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@634f93c...018cc2c) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat(oci): support for insecure registries Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * feat(oci): deduplicate logic between CLI utilities Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * feat(oci): refactor for options pattern Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> --------- Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
guacsec#2851) Bumps arigaio/atlas from `99c60db` to `cc4e357`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@08c6903...93cb6ef) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
guacsec#2852) Bumps arigaio/atlas from `cc4e357` to `ea9e22d`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
guacsec#2853) Bumps arigaio/atlas from `ea9e22d` to `5573367`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
guacsec#2860) Bumps arigaio/atlas from `5573367` to `6ca0fd7`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…uacsec#2858) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.11.1 to 3.12.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@e468171...8d2750c) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 3.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.0.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4469467...7a3fe6c) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…acsec#2857) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.33.1 to 0.34.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@b6643a2...c1824fd) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.34.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…csec#2859) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.18.0 to 6.19.2. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@2634353...10e90e3) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: 6.19.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0057852...cdf6c1f) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
guacsec#2864) Bumps arigaio/atlas from `6ca0fd7` to `620a891`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…on error (guacsec#2863) Signed-off-by: Gagan H R <hrgagan4@gmail.com>
guacsec#2865) Bumps arigaio/atlas from `620a891` to `a3fda39`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
guacsec#2868) Bumps arigaio/atlas from `a3fda39` to `954aef4`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
guacsec#2869) Bumps arigaio/atlas from `954aef4` to `79951f8`. --- updated-dependencies: - dependency-name: arigaio/atlas dependency-version: latest-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
![semgrep-code-verkada[bot]](https://avatars.githubusercontent.com/u/25538373?s=60&v=4){kind=small}
| @@ -1,4 +1,4 @@ | |||
| FROM arigaio/atlas:latest-alpine@sha256:ca1b55488c2519cce6ce273caf15017afde7c150acc88f8ea84e47728664e665 | |||
| FROM arigaio/atlas:latest-alpine@sha256:79951f86640b7d878ed55be45a99aab5c4da10c364db12ba34cc7e90af1c0a37 | |||
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
This Dockerfile is not using an approved base image. See https://go/baseimageupgrades. If you need to add your image to approved base images, update the rule at https://github.com/verkada/securitybots/blob/main/semgrep/rules/verkada-dockerfile-use-approved-base-image.yaml and submit a PR. Also update notion page accordingly.
To resolve this comment:
✨ Commit Assistant Fix Suggestion
- Replace the current
FROM arigaio/atlas:latest-alpine@sha256:...line with an approved Verkada base image from the approved images list, such as505834710180.dkr.ecr.us-west-2.amazonaws.com/verkada/alpine-baseor another that meets your OS/runtime requirements. - Reinstall any required dependencies or tools in your Dockerfile that the previous base image provided but the approved Verkada image does not include by default. For example, you may need to manually install Atlas binaries and entrypoint scripts.
- Review your Dockerfile and application to ensure all necessary migration and runtime functionality is still present with the approved base image.
Alternatively, if you need to use a custom or third-party image, discuss with the security or infrastructure team about getting it reviewed and added to the list of approved base images.
Using only approved base images helps ensure images are regularly scanned, updated, and maintained for critical security patches.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by verkada-dockerfile-use-approved-base-image.
You can view more details about this finding in the Semgrep AppSec Platform.
Author
There was a problem hiding this comment.
/fp we are not using this dockerfile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge main to Verkada-Main