[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <[email protected]>
fleetdm · Mar 1, 2023 · 0d98d9f · 0d98d9f
1 parent 9b1583b
commit 0d98d9f
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 10 deletions.
diff --git a/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile b/infrastructure/sandbox/JITProvisioner/deprovisioner/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 RUN apk update && apk add --no-cache git curl openssl unzip
 WORKDIR /build
 COPY . .

diff --git a/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile b/infrastructure/sandbox/JITProvisioner/lambda/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 WORKDIR /build
 COPY . .
 RUN go get -d -v

diff --git a/infrastructure/sandbox/Monitoring/lambda/Dockerfile b/infrastructure/sandbox/Monitoring/lambda/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.19.4-alpine AS builder
+FROM golang:1.19.4-alpine@sha256:86d32cc0dfc04757fd8aeebb86308e6d1e3de60c73cb59e0f99c7b2ef77416b6 AS builder
 WORKDIR /build
 COPY . .
 RUN go get -d -v

diff --git a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile
@@ -1,12 +1,12 @@
-FROM rust:latest AS builder
+FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder
 
 ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin
 
 RUN cargo install --version 0.16.0 apple-codesign \
   && curl -sSf $transporter_url -o transporter_install.sh \
   && sh transporter_install.sh --target transporter --accept --noexec
 
-FROM golang:1.19.4-bullseye
+FROM golang:1.19.4-bullseye@sha256:9d235ae41bff699b44255bf912e77acac5046b06e61b018561239a35d9bd2ebb
 
 RUN apt-get update \
   && dpkg --add-architecture i386 \

diff --git a/tools/bomutils-docker/Dockerfile b/tools/bomutils-docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:stable-slim AS builder
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 AS builder
 
 RUN apt-get update
 RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl
@@ -19,7 +19,7 @@ COPY patch.txt .
 RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install
 
 
-FROM debian:stable-slim
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8
 
 RUN apt-get update && apt-get install -y --no-install-recommends libxml2  && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /usr/bin /usr/bin/

diff --git a/tools/fleetctl-docker/Dockerfile b/tools/fleetctl-docker/Dockerfile
@@ -1,12 +1,12 @@
-FROM rust:latest AS builder
+FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder
 
 ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin
 
 RUN cargo install --version 0.16.0 apple-codesign \
   && curl -sSf $transporter_url -o transporter_install.sh \
   && sh transporter_install.sh --target transporter --accept --noexec
 
-FROM debian:stable-slim
+FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8
 
 ARG binpath=build/binary-bundle/linux/fleetctl
 

diff --git a/tools/wix-docker/Dockerfile b/tools/wix-docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:bullseye-slim
+FROM debian:bullseye-slim@sha256:cc4cc29b4ba8182fca324920f64ff68a3b24acefd4c7ba8a2e5bd4e81ac3bacf
 
 RUN true \
     && dpkg --add-architecture i386 \