Pin the FROM in dockerfiles. This prevents supply chain attacks where the latest image is replaced with a malicious version. (#2302)

Pinning done by using https://github.com/Jille/dockpin
2025-02-13 19:42:12 +02:00 · 2022-03-18 19:57:26 +02:00 · 2022-03-18 19:57:26 +02:00 · efd7821e07
commit efd7821e07
parent b17e555a54
2 changed files with 6 additions and 6 deletions
--- a/Dockerfile.build
+++ b/Dockerfile.build
@ -7,7 +7,7 @@
 # docker cp test:/dist/focalboard-server-linux-amd64.tar.gz .

 # build frontend
-FROM node:16.3.0 AS frontend
+FROM node:16.3.0@sha256:ca6daf1543242acb0ca59ff425509eab7defb9452f6ae07c156893db06c7a9a4 AS frontend

 WORKDIR /webapp
 COPY webapp .
@ -16,7 +16,7 @@ RUN npm install --no-optional
 RUN npm run pack

 # build backend and package
-FROM golang:1.16.5 AS backend
+FROM golang:1.16.5@sha256:3ba07778b0a48cef0820fe630220089b74ac9bd06a92ac1cf7b2f1abceffcdaa AS backend

 COPY . .
 COPY --from=frontend /webapp/pack webapp/pack
@ -26,7 +26,7 @@ RUN make server-linux
 RUN make server-linux-package-docker

 # just hold the packages to output later
-FROM alpine:3.12 AS dist
+FROM alpine:3.12@sha256:d9459083f962de6bd980ae6a05be2a4cf670df6a1d898157bceb420342bec280 AS dist

 WORKDIR /dist

--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -1,5 +1,5 @@
 ### Webapp build
-FROM node:16.3.0 as nodebuild
+FROM node:16.3.0@sha256:ca6daf1543242acb0ca59ff425509eab7defb9452f6ae07c156893db06c7a9a4 as nodebuild

 WORKDIR /webapp
 ADD webapp/ /webapp
@ -8,7 +8,7 @@ RUN npm install --no-optional && \
    npm run pack

 ### Go build
-FROM golang:1.16.5 as gobuild
+FROM golang:1.16.5@sha256:3ba07778b0a48cef0820fe630220089b74ac9bd06a92ac1cf7b2f1abceffcdaa as gobuild

 WORKDIR /go/src/focalboard
 ADD . /go/src/focalboard
@ -17,7 +17,7 @@ RUN  make server-linux
 RUN mkdir /data

 ## Final image
-FROM gcr.io/distroless/base-debian10
+FROM gcr.io/distroless/base-debian10@sha256:d2ce069a83a6407e98c7e0844f4172565f439dab683157bf93b6de20c5b46155

 WORKDIR /opt/focalboard