security(bpf): bump agent builder to go 1.26.4 + apk upgrade alpine base#105
Merged
Merged
Conversation
The application-profiler-bpf image carried 27 fixable CVEs: - 3 Go stdlib in the bundled agent binary (built with golang:1.26.3-alpine) -> bump the agentbuild stage to golang:1.26.4-alpine. - 24 Alpine OS packages (libssl3/libcrypto3 3.5.6-r0 -> 3.5.7-r0, libexpat, libxml2) that the pinned alpine:3.23.4 snapshot ships stale -> add `apk upgrade --no-cache` in the final stage before installing the tools. Verified: agentbuild stage compiles; the extracted agent binary reports go1.26.4 and 0 fixable CRITICAL/HIGH/MEDIUM; `apk upgrade` on alpine:3.23.4 moves libssl3/libcrypto3 to the patched 3.5.7-r0. Part of the nudgebee image-hardening effort (nudgebee/nudgebee#578).
There was a problem hiding this comment.
Code Review
This pull request updates the Golang base image to version 1.26.4-alpine and adds an apk upgrade step to the Alpine runner stage to pull the latest security patches. Feedback suggests optimizing the package installation commands to avoid downloading the repository index twice, thereby reducing build times and network usage.
Consolidate to apk update && upgrade && add && rm cache — one index fetch instead of two --no-cache passes — and fix the double space in the package list. Built the full bpf image: 0 fixable C/H/M, agent binary runs.
RamanKharchee
approved these changes
Jul 9, 2026
blue4209211
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clears the 27 fixable CVEs in the
application-profiler-bpfimage, driving it to 0 fixable CRITICAL/HIGH/MEDIUM:golang:1.26.3-alpine. Bumped theagentbuildstage togolang:1.26.4-alpine.libssl3/libcrypto33.5.6-r0 → 3.5.7-r0,libexpat,libxml2) that the pinnedalpine:3.23.4snapshot ships stale. Addedapk upgrade --no-cachein the final stage before installing tools.Verification
docker build --target agentbuildsucceeds; the extracted/go/bin/agentreportsgo1.26.4,trivy rootfs --ignore-unfixed→ 0 findings (was 3).apk upgradeonalpine:3.23.4moveslibssl3/libcrypto3to patched3.5.7-r0(confirmed independently).Scope
Fixes the bpf variant (referenced by the k8s-agent chart as
application-profiler-{}and scanned in the hardening baseline). Thepython/jvm/perf/ruby/dummyvariants share thegolang:1.26.3builder and can take the same bump in a follow-up.Part of the nudgebee image-hardening effort (nudgebee/nudgebee#578).