豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

fix: pin Docker base images to SHA256 digests#2040

Merged
SamMorrowDrums merged 1 commit intomainfrom
fix/pin-docker-image-shas
Feb 18, 2026
Merged

fix: pin Docker base images to SHA256 digests#2040
SamMorrowDrums merged 1 commit intomainfrom
fix/pin-docker-image-shas

Conversation

@SamMorrowDrums
Copy link
Copy Markdown
Collaborator

@SamMorrowDrums SamMorrowDrums commented Feb 18, 2026
edited
Loading

Summary

Pin all three Dockerfile base images to their SHA256 digests to resolve code scanning alerts #14 and #15 for unpinned Docker images.

Changes

  • node:20-alpine → pinned to digest (alert #14)
  • golang:1.25.7-alpine → pinned to digest (alert #15)
  • gcr.io/distroless/base-debian12 → pinned to digest (proactive)

Dependabot docker ecosystem is already configured in .github/dependabot.yml and will automatically create PRs to update these digests.

@SamMorrowDrums
fix: pin Docker base images to SHA256 digests
6c45f84 
Pin all three Dockerfile base images to their SHA256 digests to resolve
code scanning alerts for unpinned Docker images. Dependabot docker
ecosystem is already configured and will keep these digests up to date.

- node:20-alpine (alert #14)
- golang:1.25.7-alpine (alert #15)
- gcr.io/distroless/base-debian12 (proactive)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 18, 2026 15:40
@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner February 18, 2026 15:40
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR pins Docker base images to their SHA256 digests to address security scanning alerts and improve supply chain security. This prevents image tags from being silently updated and ensures deterministic builds.

Changes:

  • Pin node:20-alpine, golang:1.25.7-alpine, and gcr.io/distroless/base-debian12 base images to their SHA256 digests
  • Resolves code scanning alerts #14 and #15

@SamMorrowDrums SamMorrowDrums merged commit 5e1c94b into main Feb 18, 2026
19 of 21 checks passed
@SamMorrowDrums SamMorrowDrums deleted the fix/pin-docker-image-shas branch February 18, 2026 16:06
@BrewTestBot BrewTestBot mentioned this pull request Feb 19, 2026
Merged
@github-actions github-actions bot mentioned this pull request Feb 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tommaso-moro tommaso-moro tommaso-moro approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SamMorrowDrums @tommaso-moro