Pin all base images and multi-stage builder images to immutable digests to prevent upstream supply-chain compromise and ensure reproducible builds #9169
Conversation
…l Dockerfiles to eliminate reliance on floating upstream images and guarantee deterministic and autiable image construction, improve supply-chain integrity, and ensure fully reproducible builds.
|
I have read the CLA Document and I hereby sign the CLA Posted by the CLA Assistant Lite bot. |
|
New Issues (3)Checkmarx found the following issues in this Pull Request
Fixed Issues (45)Great job! The following issues were fixed in this Pull Request
Use @Checkmarx to reach out to us for assistance. Just send a PR comment with Examples: |
|
Please refrain from raising more PRs for the time being. |
|
@thc202 Can I just submit one more PR that addresses the use of "--break-system-packages" and replaces it with commands to create a Python virtual environment to install the dependencies? |
|
Lets handle the existing PRs first. |
|
While we appreciate that you mean well, turning up unannounced and raising a set of PRs which break the build is not the way to engage with a large OSS project. |
Summary
This PR updates every Dockerfile to use pinned image digests (e.g.,
debian:bookworm-slim@sha256:<digest>) instead of floating or tag-only references such asdebian:bookworm-slimorghcr.io/zaproxy/zaproxy:nightly. Unpinned base images pose a serious supply-chain security risk because upstream tags can be modified, overwritten, compromised, or drift over time. By pinning images to immutable digests, we ensure that the container build always uses the exact intended base layer, improving both security and reproducibility.Fault/Vulnerability
Upstream Image Drift
Docker tags such as
FROM debian:bookworm-slimandFROM ghcr.io/zaproxy/zaproxy:nightlyare mutable references. The content of these tags can change at any time. This creates several vulnerabilities:Reproducibility Failure
Floating tags mean you cannot reproduce:
This conflicts with modern supply-chain frameworks like SLSA, NIST SSDF, and CIS Docker Benchmark.
Elevation of Supply-Chain Risk
An attacker who compromises a registry, they can push a backdoored image with that tag, and then the builds would automatically use it. Relying on unverified upstream content increases exposure to:
OWASP Violations
Use a Docker image digest instead of mutable tags
Changes Made
Dockerfile-stable, Dockerfile-weekly, and Dockerfile-live
Before:
'''shell
FROM --platform=linux/amd64 debian:bookworm-slim AS builder
...
FROM debian:bookworm-slim AS final
Both
builderandfinalstages now use pinned Debian digests, ensuring reproducible build results and prevent tag mutation attacks and accidental upstream development drift.Dockerfile-bare
Before:
After:
By adding digest pinning to the Debian builder image and the runtime Alpine JRE image, the image is protected from JRE tag changes, which can occur frequently.
Dockerfile-tests
Before:
After:
Both the Debian build stage and the ZAP nighly base image are now digest-pinned. Nightly builds are particularly mutable, so digest pinning prevents accidentally pulling different nightly builds, registry rollback attacks, and potentially malicious overwrite of the
nightlytag.How the Fix Works
Image digests operate like cryptographic fingerprints:
This ensures:
a. The registry is compromised
b. A tag is overwritten
c. An upstream maintainer publishes a bad release
Your builds remain safe because they only accept the specific approved digest.
Security Impact
Eliminates entire classes of tag-based supply-chain attacks
Tag-based supply chain attacks such as:
cannot happen with immutable digests. Also, pinned digests ensure dependencies are upgraded intentionally. This means more diligence and manual upgrades, but that prevents automation attack-vectors.