security: CVE scan (dependencies clean) + pin alpine build base image#10
Closed
BenElferink wants to merge 1 commit into
Closed
security: CVE scan (dependencies clean) + pin alpine build base image#10BenElferink wants to merge 1 commit into
BenElferink wants to merge 1 commit into
Conversation
The release build stage used a floating `alpine` (implicit :latest) tag, flagged by Trivy config scan (DS-0001). Pin it to alpine:3.24.1 by digest so the build cannot silently pull a future, potentially vulnerable base image. This stage only assembles files into the final scratch image, so it does not change any shipped gem and cannot affect trace collection. Co-authored-by: Ben <BenElferink@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Performed a comprehensive CVE scan of the repository and addressed the one actionable supply-chain finding. No vulnerable Ruby dependencies were found in the shipped gem bundle (the trace-collection artifact), so no gem versions were changed — eliminating any risk to trace collection.
CVE scan results
The pinned Ruby gems (all 8
*/{amd64,arm64}/Gemfile.lockfiles and the vendoredbundle/) were scanned with four independent, current sources:osv-scanner2.4.0)google-protobuf 4.33.5,rake 13.3.1,bundler 4.0.6are all far newer than any advisory rangepublic.ecr.aws/odigos/agents/ruby-community:latestThe gem set (OpenTelemetry SDK/API/instrumentations,
google-protobuf,googleapis-common-protos-types,bigdecimal,rake) is already up to date and free of known CVEs.What this PR changes
The only actionable security finding came from Trivy's Dockerfile config scan:
release.Dockerfileused a floatingalpine(implicit:latest) base image (DS-0001). This PR pins it to an immutable digest:This prevents the build from silently pulling a future, potentially vulnerable base image. The stage only assembles files into the final
scratchimage, so no shipped gem is touched and trace collection is unaffected.The remaining config-scan items (
DS-0002non-rootUSER,DS-0026HEALTHCHECK) are not applicable to ascratchfilesystem-only image — the build stages must run as root to write under/, and there is no runtime process to health-check.Verifying trace collection
The e2e CI (
tests.yaml, runs onpull_request) exercises end-to-end trace collection across Ruby 3.1–3.4 against an OpenTelemetry Collector. Because this PR does not modify the gem bundle orindex.rb, a green run confirms trace collection remains intact.