security: Mythos AI-scan fixes batch 1 (KUBE-33, KUBE-27, KUBE-30, KUBE-31)#588
Merged
Conversation
The e2e nodeapp test image was built on alpine:3.7, EOL since Nov 2019 and carrying years of unpatched musl/OpenSSL/busybox CVEs. Pin to a current, digest-locked alpine:3.22 instead. Also scope the docker build context to only the files the Dockerfile copies, and anchor the .gitignore rules for the ephemeral SSH key and built binary to tests/e2e/nodeapp/ — the bare "nodeapp" pattern was matching the whole directory and silently ignoring new files in it. nodeapp is test-only tooling (built by the e2e/dcm_e2e make targets, pushed to a throwaway registry via E2E_NODEAPP_IMG); it is not shipped in any release, helm chart, or product image, and the SSH keypair is regenerated per build rather than committed.
…UBE-27, KUBE-30) linting.yml called ROCm/rocm-docs-core's reusable workflow at the mutable @develop branch with no permissions block, so the inherited GITHUB_TOKEN defaulted to the repo/org read-write ceiling. A push to that upstream branch could run arbitrary steps with write access to this repo. - Pin the reusable workflow to the v1.35.0 commit SHA (immutable ref). - Add top-level permissions: contents: read. Verified the reusable workflow only checks out and runs markdownlint/spellcheck, so read is sufficient. - Add the github-actions ecosystem to dependabot.yml so the pinned SHA is kept current via automated PRs.
…BE-31) Dockerfile.build installed helm by piping the get-helm-3 script fetched from the tip of helm's main branch, with no integrity verification. A tampered script (mutable branch, CDN/MITM) would execute in the build environment. Replace it with a pinned, digest-verified tarball install: fetch a specific helm version from get.helm.sh and check it against the official sha256 before extracting. Version and checksum are Makefile args (HELM_VERSION/HELM_SHA256) forwarded to docker-build-env, matching the existing base-image build-arg pattern; bump both together on upgrade. Pinned to v3.19.0 (latest helm 3) to preserve current behavior; helm 4 is a separate major-version decision.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
First batch of fixes for the Mythos AI security-scan findings against this repo. Three self-contained commits, one per finding (KUBE-27 and KUBE-30 are the same issue and are fixed together).
tests/e2e/nodeappwas built onalpine:3.7(EOL since Nov 2019). Bumped to a digest-pinnedalpine:3.22, scoped the docker build context via.dockerignore, and anchored the.gitignorerules for the ephemeral SSH key / built binary totests/e2e/nodeapp/(the barenodeapppattern was matching the whole directory)..github/workflows/linting.ymlcalled therocm-docs-corereusable workflow at the mutable@developref with nopermissions:block, so the inheritedGITHUB_TOKENdefaulted to write-all. Pinned to thev1.35.0commit SHA, addedpermissions: contents: read(verified sufficient), and added thegithub-actionsecosystem to Dependabot so the pin stays current.Dockerfile.buildinstalled helm by piping theget-helm-3script from helm'smainbranch with no integrity check. Replaced with a pinned, sha256-verified tarball install; version/checksum are Makefile args (HELM_VERSION/HELM_SHA256) forwarded todocker-build-env.nodeapp is test-only tooling (not shipped in any release, chart, or product image); the build-shell image is dev/CI only.
Test plan
make docker-build-envbuilds successfully with the pinned+verified helm step (helm.tar.gz: OK)linting.ymlanddependabot.yml; Makefile args resolve indocker-build-env.sha256sumand the actual tarballcontents: read