fix: remediate console image go vulnerabilities#777
Conversation
There was a problem hiding this comment.
This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:
| Name | Details |
|---|---|
| 💬 Prompt | Create a PR to remediate vulnerabilities in the Docker image ghcr.io/pluralsh/console:sha-bc28808.... |
| 🔗 Run history | View run history |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Greptile SummaryThis PR remediates Go vulnerabilities in the console image build path by bumping the Go toolchain from
Confidence Score: 4/5Safe to merge as a vulnerability remediation; the only actionable change is restoring the Alpine minor-version pin in the Dockerfile. All changes are straightforward version bumps with consistent treatment across files. The one deviation is the Dockerfile dropping the specific Alpine version suffix ( Dockerfile — both stages dropped the Alpine minor-version pin.
|
| Filename | Overview |
|---|---|
| Dockerfile | Go version bumped to 1.26.5 but Alpine OS version pin was dropped (from alpine3.22 to unqualified alpine), reducing image reproducibility |
| go.mod | Go directive bumped to 1.26.5 and go-containerregistry updated to a pseudo-version pre-release commit for vulnerability remediation |
| go.sum | Checksums updated to match the new go-containerregistry pseudo-version; no issues |
| hack/lib.sh | Default containerize image version bumped from 1.26.4 to 1.26.5; straightforward and consistent |
| hack/gen-client-mocks.sh | CONTAINERIZE_IMAGE bumped from golang:1.26.4 to golang:1.26.5; straightforward version pin update |
| test.Dockerfile | Base image bumped from golang:1.26.4-bookworm to golang:1.26.5-bookworm; consistent OS variant retained |
Reviews (1): Last reviewed commit: "fix: remediate console image go vulnerab..." | Re-trigger Greptile
| RUN useradd -u 10001 nonroot | ||
|
|
||
| FROM golang:1.26.4-alpine3.22 AS builder | ||
| FROM golang:1.26.5-alpine AS builder |
There was a problem hiding this comment.
The previous tag
golang:1.26.4-alpine3.22 pinned both the Go version and the Alpine minor version, ensuring reproducible builds regardless of when the image is pulled. Dropping to the unqualified alpine tag means the Alpine OS version can silently advance if the tag is updated upstream or the image is pulled fresh in a new environment. test.Dockerfile retained -bookworm for the same reason, so keeping the Alpine minor version here would be consistent. Check Docker Hub to confirm the correct tag (e.g. golang:1.26.5-alpine3.22) and apply it to both stages.
| FROM golang:1.26.5-alpine AS builder | |
| FROM golang:1.26.5-alpine3.22 AS builder |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
| -o plural ./cmd/plural | ||
|
|
||
| FROM golang:1.26.4-alpine3.22 AS final | ||
| FROM golang:1.26.5-alpine AS final |
There was a problem hiding this comment.
Same Alpine version pin concern as the builder stage — the final stage should match.
| FROM golang:1.26.5-alpine AS final | |
| FROM golang:1.26.5-alpine3.22 AS final |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Summary
pluralsh/plural-cli1.26.4to1.26.5github.com/google/go-containerregistryto a newer pseudo-version and refreshgo.sumRepo and build path
pluralsh/plural-cli.github/workflows/ci.yamljobsbuild-imageandpublish-imageDockerfileFiles changed
Dockerfilego.modgo.sumhack/gen-client-mocks.shhack/lib.shtest.DockerfileVersions before / after
1.26.4->1.26.5golang:1.26.4-alpine3.22->golang:1.26.5-alpine1.26.4->1.26.5github.com/google/go-containerregistry:v0.21.7->v0.21.8-0.20260624172245-e8b2b9e51df6oras.land/oras-go/v2: remains transitive in the module graph atv2.6.1oras-go note
oras.land/oras-go/v2is not directly imported by this repo's application code. It is present transitively in the module graph (for example via Helm-related dependencies). I attempted the minimal direct bump first, but there is no newer taggedoras-go/v2release available from the Go module registry thanv2.6.1, so the PR instead updates the upstream dependency graph that brings it in and documents the remaining upstream constraint.Validation
.github/workflows/ci.yamlgolang:1.26.5-bookwormcontainergo test ./...in container; run was dependency-download heavy and did not complete within the session windowdocker build --load --build-arg APP_VSN=dev --build-arg APP_COMMIT=test --build-arg APP_DATE=2026-07-09T00:00:00Z -t plural-cli:test .; build progressed through dependency download after correcting the base image tag, but did not complete within the session windowWhy this is minimal