Skip to content

tools/docker: pin bazel.dockerfile base image digest (CORE-16461)#31007

Open
tyson-redpanda wants to merge 2 commits into
devfrom
tyson/snyk-ignore-openssl-ubuntu-cve
Open

tools/docker: pin bazel.dockerfile base image digest (CORE-16461)#31007
tyson-redpanda wants to merge 2 commits into
devfrom
tyson/snyk-ignore-openssl-ubuntu-cve

Conversation

@tyson-redpanda

@tyson-redpanda tyson-redpanda commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Snyk's GitHub integration scans Dockerfiles statically — it reads
FROM ubuntu:noble and flags the base image without running the
Dockerfile, so apt-get upgrade -y in the RUN layer is invisible to
it. Pinning to a specific manifest-list digest lets Snyk resolve the
exact image and verify it contains the patched OpenSSL package, clearing
SNYK-UBUNTU2404-OPENSSL-17268920 (CORE-16461). As a side effect, the
new digest also busts the ECR layer cache so the next CI build runs
apt-get upgrade fresh.

Bump BASE_IMAGE_DIGEST to the latest ubuntu:noble manifest digest
when upgrading the base image in future.

Backports Required

  • none - not a bug fix

Release Notes

  • none

@tyson-redpanda tyson-redpanda force-pushed the tyson/snyk-ignore-openssl-ubuntu-cve branch from bae1790 to 80d5ec8 Compare July 3, 2026 17:55
@tyson-redpanda tyson-redpanda changed the title tools/docker: bust apt cache in bazel.dockerfile to pick up OpenSSL patch tools/docker: pin bazel.dockerfile base image digest (CORE-16461) Jul 3, 2026
Snyk's GitHub integration scans Dockerfiles statically — it reads
FROM ubuntu:noble and flags the base image without running the
Dockerfile, so apt-get upgrade -y in the RUN layer is invisible to it.

Pinning to a specific manifest-list digest lets Snyk resolve the exact
image and verify it contains the patched OpenSSL package, clearing
SNYK-UBUNTU2404-OPENSSL-17268920. As a side effect, the new digest also
busts the ECR layer cache so the next CI build runs apt-get upgrade
fresh.

Bump BASE_IMAGE_DIGEST to the latest ubuntu:noble manifest digest when
upgrading the base image in future.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tyson-redpanda tyson-redpanda force-pushed the tyson/snyk-ignore-openssl-ubuntu-cve branch from 80d5ec8 to b938550 Compare July 3, 2026 19:52
@tyson-redpanda tyson-redpanda enabled auto-merge July 3, 2026 20:04
@tyson-redpanda tyson-redpanda requested a review from dotnwat July 3, 2026 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant