Skip to content

chore: base image digest bump 2026-05-20#71

Merged
mrhallak merged 1 commit into
masterfrom
chore/base-image-digest-bump-20260520
May 20, 2026
Merged

chore: base image digest bump 2026-05-20#71
mrhallak merged 1 commit into
masterfrom
chore/base-image-digest-bump-20260520

Conversation

@mrhallak
Copy link
Copy Markdown

@mrhallak mrhallak commented May 20, 2026
edited
Loading

Summary

Automated pinning of Dockerfile base images to their latest patched digests to clear ECR container CVEs in glibc, dpkg, libcap2, nghttp2, openssh, sudo, and related OS packages.

Dockerfile Base New digest
`Dockerfile` `python:3.7.4-slim-stretch` `sha256:34a714de`
`dockers/airflow/Dockerfile` `python:3.7-slim` `sha256:b53f496c`
`dockers/dagger_ui/Dockerfile` `python:3.8-slim` `sha256:1d52838a`

OS-upgrade steps added:

  • `Dockerfile` — added `RUN apt-get update -yq && apt-get upgrade -yq && rm -rf /var/lib/apt/lists/*` after FROM.
  • `dockers/dagger_ui/Dockerfile` — added same step after FROM (existing `apt-get` block was commented out).
  • `dockers/airflow/Dockerfile` — unchanged, already runs `apt-get upgrade -yq`.

⚠️ Note: `Dockerfile` uses `python:3.7.4-slim-stretch` (Debian 9, EOL since 2022). Its CI build may fail at apt time because `deb.debian.org` no longer serves stretch packages — they've moved to `archive.debian.org`. The digest pin still records a baseline; if the build is in active use, consider migrating to a supported Python/Debian version separately.

ECR scan verification (pre-merge)

Dockerfile Base used HIGH CRITICAL Outcome
`Dockerfile` scan-skipped: local-only
`dockers/airflow/Dockerfile` scan-skipped: local-only
`dockers/dagger_ui/Dockerfile` scan-skipped: local-only

The Makefile has `build-airflow` / `build-dagger_ui` for local Airflow testing only — no `docker-push` target wires these to a chodatastg ECR repo, so Vanta doesn't see them. The pin still applies as a baseline.

Tests

Ran `make test` locally (pytest with `ENV=local` and `AIRFLOW_HOME` set to the fixtures dir, as per the Makefile target) — 93 passed, 2 skipped, exit 0.

Test plan

  • CI green
  • If the `Dockerfile` (stretch) build fails on apt, follow up with a base-version migration

@mrhallak
chore: base image digest bump 2026-05-20
4f76207 
Pin 3 Dockerfile base images to freshly patched digests to clear ECR
OS-package CVEs (glibc, dpkg, libcap2, nghttp2, openssh, sudo, ...).

Pinned digests:
- python:3.7.4-slim-stretch@sha256:34a714de (1 Dockerfile)
- python:3.7-slim@sha256:b53f496c (1 Dockerfile)
- python:3.8-slim@sha256:1d52838a (1 Dockerfile)

OS-upgrade steps added:
- Dockerfile — added `apt-get update && apt-get upgrade` after FROM
- dockers/dagger_ui/Dockerfile — added `apt-get update && apt-get upgrade` after FROM (existing block was commented out)

Note: python:3.7.4-slim-stretch is Debian 9 (EOL); its CI build may fail
at apt time because the deb.debian.org repositories no longer carry stretch.
The digest pin is recorded regardless for the ECR scan baseline.
@mrhallak mrhallak requested a review from a team as a code owner May 20, 2026 08:28
@mrhallak mrhallak merged commit 00daf20 into master May 20, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@siklosid siklosid siklosid approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrhallak @siklosid