Pin all base images in Dockerfiles to SHA256 digests for supply chain security (Scorecard remediation) (#1188)

oCHRISo · web-flow · commit de1e01063fa8 · 2025-08-12T10:46:48.000+01:00
diff --git a/scripts/packages/packager/Dockerfile b/scripts/packages/packager/Dockerfile
@@ -1,6 +1,6 @@
 ARG package_type
 
-FROM docker.io/golang:1.24-bullseye AS base
+FROM docker.io/golang@sha256:62ba6b19de03e891f7fa1001326bd48411f2626ff35e7ba5b9d890711ce581d9 AS base
 
 ARG PKG_VER="1.17.5"
 ARG PKG_DIR="/tmp/pkg"
diff --git a/test/docker/load/Dockerfile b/test/docker/load/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:24.04 as base
+FROM ubuntu@sha256:a08e551cb33850e4740772b38217fc1796a66da2506d312abe51acda354ff061 AS base
 LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
 
 # https://askubuntu.com/questions/909277/avoiding-user-interaction-with-tzdata-when-installing-certbot-in-a-docker-contai
diff --git a/test/integration/auxiliarycommandserver/Dockerfile b/test/integration/auxiliarycommandserver/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:buster-slim
+FROM debian:buster-slim@sha256:bb3dc79fddbca7e8903248ab916bb775c96ec61014b3d02b4f06043b604726dc
 
 WORKDIR /mock-management-plane-grpc
 COPY ./build/mock-management-plane-grpc ./
diff --git a/test/mock/collector/mock-collector/Dockerfile b/test/mock/collector/mock-collector/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:bookworm
+FROM golang:bookworm@sha256:ef8c5c733079ac219c77edab604c425d748c740d8699530ea6aced9de79aea40
 
 WORKDIR /mock-management-otel-collector
 COPY ./build/mock-management-otel-collector ./
diff --git a/test/mock/grpc/Dockerfile b/test/mock/grpc/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:buster-slim
+FROM debian:buster-slim@sha256:bb3dc79fddbca7e8903248ab916bb775c96ec61014b3d02b4f06043b604726dc
 
 WORKDIR /mock-management-plane-grpc
 COPY ./build/mock-management-plane-grpc ./

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM ubuntu:24.04 as base`
	`1`	`+FROM ubuntu@sha256:a08e551cb33850e4740772b38217fc1796a66da2506d312abe51acda354ff061 AS base`
`2`	`2`	`LABEL maintainer="NGINX Docker Maintainers <[email protected]>"`
`3`	`3`
`4`	`4`	`# https://askubuntu.com/questions/909277/avoiding-user-interaction-with-tzdata-when-installing-certbot-in-a-docker-contai`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM debian:buster-slim`
	`1`	`+FROM debian:buster-slim@sha256:bb3dc79fddbca7e8903248ab916bb775c96ec61014b3d02b4f06043b604726dc`
`2`	`2`
`3`	`3`	`WORKDIR /mock-management-plane-grpc`
`4`	`4`	`COPY ./build/mock-management-plane-grpc ./`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:bookworm`
	`1`	`+FROM golang:bookworm@sha256:ef8c5c733079ac219c77edab604c425d748c740d8699530ea6aced9de79aea40`
`2`	`2`
`3`	`3`	`WORKDIR /mock-management-otel-collector`
`4`	`4`	`COPY ./build/mock-management-otel-collector ./`