Skip to content

security(bpf): bump agent builder to go 1.26.4 + apk upgrade alpine base#105

Merged
mayankpande88 merged 2 commits into
mainfrom
security/bpf-go1.26.4-alpine-upgrade
Jul 9, 2026
Merged

security(bpf): bump agent builder to go 1.26.4 + apk upgrade alpine base#105
mayankpande88 merged 2 commits into
mainfrom
security/bpf-go1.26.4-alpine-upgrade

Conversation

@mayankpande88

Copy link
Copy Markdown
Contributor

Summary

Clears the 27 fixable CVEs in the application-profiler-bpf image, driving it to 0 fixable CRITICAL/HIGH/MEDIUM:

  • 3 Go stdlib in the bundled agent binary — built with golang:1.26.3-alpine. Bumped the agentbuild stage to golang:1.26.4-alpine.
  • 24 Alpine OS packages (libssl3/libcrypto3 3.5.6-r0 → 3.5.7-r0, libexpat, libxml2) that the pinned alpine:3.23.4 snapshot ships stale. Added apk upgrade --no-cache in the final stage before installing tools.

Verification

  • docker build --target agentbuild succeeds; the extracted /go/bin/agent reports go1.26.4, trivy rootfs --ignore-unfixed0 findings (was 3).
  • apk upgrade on alpine:3.23.4 moves libssl3/libcrypto3 to patched 3.5.7-r0 (confirmed independently).

Scope

Fixes the bpf variant (referenced by the k8s-agent chart as application-profiler-{} and scanned in the hardening baseline). The python/jvm/perf/ruby/dummy variants share the golang:1.26.3 builder and can take the same bump in a follow-up.

Part of the nudgebee image-hardening effort (nudgebee/nudgebee#578).

The application-profiler-bpf image carried 27 fixable CVEs:
- 3 Go stdlib in the bundled agent binary (built with golang:1.26.3-alpine)
  -> bump the agentbuild stage to golang:1.26.4-alpine.
- 24 Alpine OS packages (libssl3/libcrypto3 3.5.6-r0 -> 3.5.7-r0, libexpat,
  libxml2) that the pinned alpine:3.23.4 snapshot ships stale -> add
  `apk upgrade --no-cache` in the final stage before installing the tools.

Verified: agentbuild stage compiles; the extracted agent binary reports
go1.26.4 and 0 fixable CRITICAL/HIGH/MEDIUM; `apk upgrade` on alpine:3.23.4
moves libssl3/libcrypto3 to the patched 3.5.7-r0.

Part of the nudgebee image-hardening effort (nudgebee/nudgebee#578).

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Golang base image to version 1.26.4-alpine and adds an apk upgrade step to the Alpine runner stage to pull the latest security patches. Feedback suggests optimizing the package installation commands to avoid downloading the repository index twice, thereby reducing build times and network usage.

Comment thread docker/bpf/Dockerfile Outdated
Consolidate to apk update && upgrade && add && rm cache — one index fetch
instead of two --no-cache passes — and fix the double space in the package
list. Built the full bpf image: 0 fixable C/H/M, agent binary runs.
@mayankpande88 mayankpande88 merged commit e50de43 into main Jul 9, 2026
6 checks passed
@mayankpande88 mayankpande88 deleted the security/bpf-go1.26.4-alpine-upgrade branch July 9, 2026 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants