Updating CLI Server by tommyd450 · Pull Request #472 · securesign/cosign

tommyd450 · 2025-11-12T16:39:34Z

Summary by Sourcery

Enhancements:

Revise Dockerfile.clients.rh to apply updated configuration for the CLI server

sourcery-ai · 2025-11-12T16:39:40Z

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

The pull request updates the CLI server Dockerfile to a newer Red Hat UBI base, consolidates installation steps, adds missing dependencies, and improves image caching and security by introducing a non-root user.

File-Level Changes

Change	Details	Files
Base image and tag updated	Changed FROM line to use ubi8-minimal instead of the previous CentOS/RHEL image Pinned specific UBI 8.6 tag to improve reproducibility	`Dockerfile.clients.rh`
Dependencies and tooling installed in fewer layers	Combined multiple RUN commands into a single layer Installed curl and jq alongside existing packages to support health checks	`Dockerfile.clients.rh`
Entrypoint and user configuration hardened	Added a non-root ‘cliuser’ and switched USER before ENTRYPOINT Updated ENTRYPOINT to reference /usr/local/bin/cli-server executable	`Dockerfile.clients.rh`
Cache optimization improvements	Moved package install steps above copying application files Cleaned up yum cache in the same RUN step to reduce image size	`Dockerfile.clients.rh`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

sourcery-ai

Hey there - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

qodo-code-review · 2025-11-12T16:40:01Z

PR Compliance Guide 🔍

(Compliance updated until commit `b4e0107`)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logging: The PR only updates base images in a Dockerfile and adds no code or configuration related to logging of critical actions, leaving audit trail coverage unverifiable from this diff. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error handling: The changes only pin container images without introducing any runtime error handling or edge-case logic, so robustness cannot be assessed from this diff. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: User-facing errors: No user-facing error surfaces are modified or added; secure error messaging cannot be evaluated from Dockerfile-only changes. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Logging not evident: The diff updates image digests but does not show logging configuration or safeguards against sensitive data in logs, which cannot be verified here. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Input validation unknown: The PR only changes base images and adds no code or config demonstrating input validation, sanitization, or auth controls, so compliance cannot be determined from this diff. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Previous compliance checks

Compliance check up to commit b4e0107

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logging: The changes only update base images in a Dockerfile and introduce no application logic or logging, so they neither add nor remove audit trails, requiring human verification of impact. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Naming not applicable: The PR modifies only FROM image references and stage aliases in a Dockerfile without adding identifiers in application code, so naming compliance cannot be fully assessed. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error handling: The changes are limited to Docker build stages and do not introduce runtime error handling logic, so robustness cannot be assessed from this diff alone. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: User errors N/A: No user-facing error messages are introduced in this Dockerfile change; verify application layers for secure error handling separately. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool FROM registry.redhat.io/ubi9/httpd-24@sha256:86a1a8b0d12c31c007dd411f7076a0cab2cc952ab8a0de74666fa09900c9fb86 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Logging not present: The diff updates image digests and build stages without altering log statements; confirm that the referenced images and resulting binaries do not change logging of sensitive data. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Supply chain risk: The PR updates base image digests and introduces/updates build stages which may change embedded tools; input validation/security impacts depend on those images’ contents and require verification. Referred Code FROM quay.io/securesign/cli-cosign@sha256:6a07e2e7f3ba1735a1d58deb104e6c6ce3e82162a2923a67cbc10fb7f09a8ede AS cosign FROM quay.io/securesign/gitsign@sha256:5da9f09d565072e51a7bfcca064506737dba8ef9ddd09335b1b0198ab31161af AS gitsign # Provides the Trusted Artifact Signer CLI binary, fetch-tsa-certs FROM quay.io/securesign/fetch-tsa-certs@sha256:3b796e4755dd311185399e0ed970a0156e33206d1801de3b1bbf54cc219ecf57 as fetch_tsa_certs # Provides the Trusted Artifact Signer CLI binaries, rekor-cli and ec FROM quay.io/securesign/rekor-cli@sha256:0456e5d697988f4547c2c671a7fde76f698796247458321b3366f4b8ed9adf82 as rekor FROM registry.redhat.io/rhtas/ec-rhel9:0.7@sha256:30f7a2eeed605f23ba68bc41f29363acc5305ff4cf9302c37ee7ac7408cfa38d as ec # Provides the Trusted Artifact Signer CLI binaries trillian-createtree and trillian-updatetree FROM quay.io/securesign/trillian-createtree@sha256:11fb7a32254818c0b6dba3299bf37004859fe2facde5ce01073a79763e76895c as trillian-createtree FROM quay.io/securesign/trillian-updatetree@sha256:411f5c118611cfd7aeb42453ddeb07335cf0912270e130d7047f4e8135ff0682 as trillian-updatetree FROM quay.io/securesign/cli-tuftool@sha256:54d171b8c1657d5c441215682c24f4e085375c8ce9e20b9a794b269d88d3fd64 as tuf-tool Learn more about managing compliance generic rules or creating your own custom rules

qodo-code-review · 2025-11-12T16:40:24Z

PR Code Suggestions ✨

No code suggestions found for the PR.

Updating CLI Server

b4e0107

sourcery-ai bot reviewed Nov 12, 2025

View reviewed changes

qodo-code-review bot added the Review effort 1/5 label Nov 12, 2025

SequeI approved these changes Nov 12, 2025

View reviewed changes

tommyd450 merged commit bb0f638 into main Nov 12, 2025
32 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Updating CLI Server#472

Updating CLI Server#472
tommyd450 merged 1 commit intomainfrom
tdalton/1.3CLI

tommyd450 commented Nov 12, 2025 •

edited by sourcery-ai bot

Loading

Uh oh!

sourcery-ai bot commented Nov 12, 2025 •

edited

Loading

Reviewer's Guide

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai bot left a comment

Uh oh!

qodo-code-review bot commented Nov 12, 2025 •

edited

Loading

Uh oh!

qodo-code-review bot commented Nov 12, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

tommyd450 commented Nov 12, 2025 • edited by sourcery-ai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by Sourcery

Uh oh!

sourcery-ai bot commented Nov 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

qodo-code-review bot commented Nov 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Compliance Guide 🔍

(Compliance updated until commit b4e0107)

Previous compliance checks

Uh oh!

qodo-code-review bot commented Nov 12, 2025

PR Code Suggestions ✨

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

tommyd450 commented Nov 12, 2025 •

edited by sourcery-ai bot

Loading

sourcery-ai bot commented Nov 12, 2025 •

edited

Loading

qodo-code-review bot commented Nov 12, 2025 •

edited

Loading

(Compliance updated until commit `b4e0107`)