GFD-2481 model engine internal CVE remediation

[astringel]

Remediates 3 Critical and 34 High severity Trivy CVEs in the apps/model-engine-internal FIPS image (ipv4-pr758-61262d88-amd64), the single largest CVE contributor in the June 9 net-new scan (214 total Critical+High findings across dev, FedRAMP prod, IL5 prod, and shared-inference).

Changes:

• model-engine/Dockerfile.fips — upgrades aws-iam-authenticator from v0.5.9 → v0.7.11, resolving 4 High Go stdlib CVEs (CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-42504) introduced by the old binary's embedded Go 1.17/1.18 toolchain
• model-engine/Dockerfile.fips — bumps the Chainguard base image from cgr.dev/scale.com/python-fips:3.10.19-dev to the latest available 3.10.x-dev tag, replacing the Debian OS package tree (libgnutls30, linux-libc-dev, libpython3.11, openssh, libcap2, libkrb5) with patched Alpine equivalents and eliminating the remaining Critical and majority of High findings
• model-engine/requirements.txt — bumps mako from 1.2.4 → 1.3.11, resolving CVE-2026-41205

Test Plan and Usage Guide

• CI builds the updated Dockerfile.fips successfully and produces a new image tag
• Post-build: run docker run --rm go version /bin/aws-iam-authenticator and confirm Go ≥ 1.25.10 — if not, a newer aws-iam-authenticator release or source build with a newer toolchain is required before merge
• Post-build Trivy scan on the new image returns zero Critical/High findings (required to clear the CCB promotion security gate)
• New image tag is pinned in argo-values (staging, fedramp, il5), argocd-shared-inference-catalog, and forward-deployed-infra/infra-launcher/images.yaml via a follow-up MR
• Promotion sequence: PROMOTE_STAGING_JOB=true (dev → staging) → CCB ticket → CCB_PROMOTION_JOB=true (fedramp + il5)

Greptile Summary

This PR is a targeted CVE remediation for the model-engine-internal FIPS image, bumping the Chainguard base image, upgrading aws-iam-authenticator, and updating a Python dependency.

• Dockerfile.fips: Base image promoted from 3.10.19-dev to 3.10.20-r7-dev (replacing vulnerable Debian OS packages with patched Alpine equivalents); aws-iam-authenticator upgraded from v0.5.9 → v0.7.11 and a SHA256 digest check now guards the download — the supply-chain gap flagged in the previous review has been addressed.
• requirements.txt: mako bumped from 1.2.4 → 1.3.12 (resolves CVE-2026-41205); legacy-cgi==2.6.4 pinned as a new transitive dependency pulled in by ddtrace.

Confidence Score: 5/5

Safe to merge once CI confirms the Dockerfile builds successfully and the post-build Trivy scan clears.

All changes are version bumps with no functional logic changes. The previously missing binary integrity check is now in place — if the SHA256 digest in the Dockerfile is wrong the build fails fast rather than silently accepting an untrusted binary. The base image and Python dependency changes are straightforward package upgrades with no cross-cutting side effects.

No files require special attention; both changed files contain only version bumps.

Important Files Changed

Filename	Overview
model-engine/Dockerfile.fips	Upgrades Chainguard base image to 3.10.20-r7-dev and aws-iam-authenticator to v0.7.11, and adds a SHA256 integrity check for the downloaded binary (addressing the supply-chain gap flagged in the previous review).
model-engine/requirements.txt	Bumps mako to 1.3.12 (CVE-2026-41205) and pins the new transitive ddtrace dependency legacy-cgi==2.6.4; no logic issues found.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["FROM cgr.dev/scale.com/python-fips:3.10.20-r7-dev\n(was 3.10.19-dev)"] --> B[apk add build deps]
    B --> C["curl aws-iam-authenticator v0.7.11\n(was v0.5.9)"]
    C --> D["sha256sum -c verification\n(NEW — fails build on mismatch)"]
    D -->|"hash OK"| E[chmod +x binary]
    D -->|"hash mismatch"| F[❌ Build aborted]
    E --> G[pip install pip==24.2]
    G --> H[pip install awscli==1.34.28]
    H --> I["pip install requirements.txt\n(mako==1.3.12, legacy-cgi==2.6.4)"]
    I --> J[EXPOSE 5000 / USER nonroot]

Loading

_{Reviews (4): Last reviewed commit: "Verify aws-iam-authenticator digest and ..." | Re-trigger Greptile}

[andytang-scale]

LGTM

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​legacy-cgi@​2.6.4

View full report

[andytang-scale]

lgtm

[billyang-scale]

Review feedback

Verified the security-critical pieces against upstream — the core change (base-image re-pin + aws-iam-authenticator upgrade with a verified checksum) is sound. OK to approve once the CI build + Trivy gates in the test plan pass.

Verified

• ✅ SHA256 is correct: the Dockerfile pins 8523d92af5680dbc7af81a75be63ffdb36040e061e8e318d322e01dceff85a1f, which matches upstream authenticator_0.7.11_checksums.txt exactly for linux_amd64. A wrong/poisoned binary now fails the build.
• ✅ sha256sum -c - format and the /bin/aws-iam-authenticator target path are correct; the integrity-check gap from the prior round is genuinely closed.
• ✅ Base image 3.10.20-r7-dev is a pinned (reproducible) tag.

Non-blocking notes

• ⚠️ The description/commit messages claim a mako bump (1.2.4 → 1.3.11/1.3.12), but mako==1.3.12 is already on main — the diff does not touch it. Only the legacy-cgi==2.6.4 add is a real requirements.txt change. Please trim the stale mako claim from the description to avoid confusion.
• ⚠️ Commit a3c55e0 says it pins the scalegov2-pipelines includes in .gitlab-ci.yml, but that file is not in the net diff (changedFiles: 2 = Dockerfile.fips + requirements.txt only). If pinning those refs was intended scope, it didn't land.
• ℹ️ legacy-cgi==2.6.4 has no python_version marker; the cgi stdlib module still exists on the 3.10 base, so the backport is inert at runtime — harmless.
• ℹ️ curl -Lo lacks --fail; the sha256sum -c aborts the build on a bad download anyway, so it's safe — adding --fail would just be marginally cleaner.

Gate before merge (from the test plan)

• Confirm the new v0.7.11 binary's Go toolchain is ≥ 1.25.10 — that's the whole point of the bump; if it isn't, the 4 Go-stdlib CVEs aren't actually cleared.
• Post-build Trivy returns zero Critical/High (CCB promotion gate).