Audit finding from #300 (commit 679f9fe)
Severity: medium
Category: dependencies / supply chain
File: docker/relay.Dockerfile:1,6 ; replay.Dockerfile:1,6 ; storage.Dockerfile:1,6 ; web.Dockerfile:1,8
Obvious fix: yes (tag pinning); no (USER + SBOM require app-side validation)
Description
All four Dockerfiles use mutable tags (rust:latest, rust:slim, nginx:alpine) rather than digest-pinned images (@sha256:...). Builds are non-reproducible and are vulnerable to upstream image takeover or a malicious tag re-push. There is no SBOM stage.
Impact / Threat
A malicious or buggy upstream image push silently lands on the next build; production loses the ability to reconstruct the exact image bits a release was built from.
Suggested fix
Pin each FROM to a rust:1.<minor>-slim-bookworm@sha256:<digest> and nginx:1.27-alpine@sha256:<digest>; consider adding a docker buildx --sbom=true step or syft SBOM generation in CI.
Verify
grep -nE '^FROM ' docker/*.Dockerfile
Audit finding from #300 (commit 679f9fe)
Severity: medium
Category: dependencies / supply chain
File: docker/relay.Dockerfile:1,6 ; replay.Dockerfile:1,6 ; storage.Dockerfile:1,6 ; web.Dockerfile:1,8
Obvious fix: yes (tag pinning); no (USER + SBOM require app-side validation)
Description
All four Dockerfiles use mutable tags (
rust:latest,rust:slim,nginx:alpine) rather than digest-pinned images (@sha256:...). Builds are non-reproducible and are vulnerable to upstream image takeover or a malicious tag re-push. There is no SBOM stage.Impact / Threat
A malicious or buggy upstream image push silently lands on the next build; production loses the ability to reconstruct the exact image bits a release was built from.
Suggested fix
Pin each FROM to a
rust:1.<minor>-slim-bookworm@sha256:<digest>andnginx:1.27-alpine@sha256:<digest>; consider adding adocker buildx --sbom=truestep orsyftSBOM generation in CI.Verify