Skip to content

security: Mythos AI-scan fixes batch 1 (KUBE-33, KUBE-27, KUBE-30, KUBE-31)#588

Merged
spraveenio merged 3 commits into
ROCm:mainfrom
bhatnitish:mythos-batch-1
Jul 1, 2026
Merged

security: Mythos AI-scan fixes batch 1 (KUBE-33, KUBE-27, KUBE-30, KUBE-31)#588
spraveenio merged 3 commits into
ROCm:mainfrom
bhatnitish:mythos-batch-1

Conversation

@bhatnitish

@bhatnitish bhatnitish commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

First batch of fixes for the Mythos AI security-scan findings against this repo. Three self-contained commits, one per finding (KUBE-27 and KUBE-30 are the same issue and are fixed together).

  • KUBE-33tests/e2e/nodeapp was built on alpine:3.7 (EOL since Nov 2019). Bumped to a digest-pinned alpine:3.22, scoped the docker build context via .dockerignore, and anchored the .gitignore rules for the ephemeral SSH key / built binary to tests/e2e/nodeapp/ (the bare nodeapp pattern was matching the whole directory).
  • KUBE-27 / KUBE-30.github/workflows/linting.yml called the rocm-docs-core reusable workflow at the mutable @develop ref with no permissions: block, so the inherited GITHUB_TOKEN defaulted to write-all. Pinned to the v1.35.0 commit SHA, added permissions: contents: read (verified sufficient), and added the github-actions ecosystem to Dependabot so the pin stays current.
  • KUBE-31Dockerfile.build installed helm by piping the get-helm-3 script from helm's main branch with no integrity check. Replaced with a pinned, sha256-verified tarball install; version/checksum are Makefile args (HELM_VERSION/HELM_SHA256) forwarded to docker-build-env.

nodeapp is test-only tooling (not shipped in any release, chart, or product image); the build-shell image is dev/CI only.

Test plan

  • make docker-build-env builds successfully with the pinned+verified helm step (helm.tar.gz: OK)
  • YAML validated for linting.yml and dependabot.yml; Makefile args resolve in docker-build-env
  • helm v3.19.0 checksum confirmed against the official .sha256sum and the actual tarball
  • CI docs-linting workflow passes with contents: read

The e2e nodeapp test image was built on alpine:3.7, EOL since Nov 2019
and carrying years of unpatched musl/OpenSSL/busybox CVEs. Pin to a
current, digest-locked alpine:3.22 instead.

Also scope the docker build context to only the files the Dockerfile
copies, and anchor the .gitignore rules for the ephemeral SSH key and
built binary to tests/e2e/nodeapp/ — the bare "nodeapp" pattern was
matching the whole directory and silently ignoring new files in it.

nodeapp is test-only tooling (built by the e2e/dcm_e2e make targets,
pushed to a throwaway registry via E2E_NODEAPP_IMG); it is not shipped
in any release, helm chart, or product image, and the SSH keypair is
regenerated per build rather than committed.
…UBE-27, KUBE-30)

linting.yml called ROCm/rocm-docs-core's reusable workflow at the mutable
@develop branch with no permissions block, so the inherited GITHUB_TOKEN
defaulted to the repo/org read-write ceiling. A push to that upstream
branch could run arbitrary steps with write access to this repo.

- Pin the reusable workflow to the v1.35.0 commit SHA (immutable ref).
- Add top-level permissions: contents: read. Verified the reusable
  workflow only checks out and runs markdownlint/spellcheck, so read is
  sufficient.
- Add the github-actions ecosystem to dependabot.yml so the pinned SHA
  is kept current via automated PRs.
…BE-31)

Dockerfile.build installed helm by piping the get-helm-3 script fetched
from the tip of helm's main branch, with no integrity verification. A
tampered script (mutable branch, CDN/MITM) would execute in the build
environment.

Replace it with a pinned, digest-verified tarball install: fetch a
specific helm version from get.helm.sh and check it against the official
sha256 before extracting. Version and checksum are Makefile args
(HELM_VERSION/HELM_SHA256) forwarded to docker-build-env, matching the
existing base-image build-arg pattern; bump both together on upgrade.

Pinned to v3.19.0 (latest helm 3) to preserve current behavior; helm 4
is a separate major-version decision.
@bhatnitish bhatnitish marked this pull request as ready for review July 1, 2026 20:49

@yansun1996 yansun1996 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@spraveenio spraveenio merged commit a97872d into ROCm:main Jul 1, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants