fix(agent): pin base image digest, always rebuild for security scan#132
Merged
Conversation
The pre-push security scan failed on stale Docker layer cache — fixable CVEs in the base image weren't picked up because the `security:image` task skipped rebuilds when the image already existed locally. - Pin `python:3.13-slim` to SHA256 digest for reproducible builds - Remove `docker image inspect || build` conditional — always rebuild ensures `apt-get upgrade` picks up latest Debian security patches - Add `.grype.yaml` with documented suppressions for won't-fix CVEs (glibc, curl, ncurses, libexpat, libtasn1, GnuTLS, GnuPG, CPython) The existing `apt-get upgrade --no-install-recommends` in the Dockerfile already handles fixable CVEs — the root cause was stale cache, not missing upgrade logic. Fixes #92 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The file is not picked up by any scanner — grype auto-discovers from CWD (repo root), not agent/, and the image scan uses trivy with --ignore-unfixed which already handles won't-fix CVEs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3 tasks
krokoko
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
python:3.13-slimto SHA256 digest for reproducible, cacheable buildsdocker image inspect || buildconditional — always rebuild ensuresapt-get upgradepicks up latest Debian security patchesProblem
The pre-push
security:imagetask only built the Docker image if it didn't exist locally. A stale cached image retained old unfixed packages, causing trivy to report CVEs that had already been patched upstream. Developers were forced to use--no-verifyon every push.Root cause
Not missing Dockerfile logic (the
apt-get upgradewas already present) — but stale Docker layer cache from a previous build being reused indefinitely.Changes
agent/Dockerfilepython:3.13-slim@sha256:dc1546...for reproducibilityagent/mise.tomlHow it works
CACHE_BUST=$(date +%s)already ensures theapt-get upgradelayer is fresh. The olddocker image inspect || buildskip was defeating this by reusing a days-old local image.--ignore-unfixed— already handleswon't fixCVEs without needing a separate ignore file.Test plan
docker build --no-cache+trivy --ignore-unfixed --severity HIGH,CRITICAL --exit-code 1→ exit 0Related
🤖 Generated with Claude Code