Containers: pin containers to a specific hash

There has been a bunch of supply chain attacks in the last few months. This commit pins every containers to a specific hash (the most recent at the time) to reduce the risk of CTFNote users pulling a compromised container.
TFNS · May 29, 2022 · 464206b · 464206b
1 parent 71e183e
commit 464206b
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 8 deletions.
diff --git a/api/Dockerfile b/api/Dockerfile
@@ -6,7 +6,7 @@ ARG NODE_ENV="production"
 ################################################################################
 # Build stage 1 - `yarn build`
 
-FROM node:16-alpine as builder
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 as builder
 # Import our shared args
 ARG NODE_ENV
 
@@ -24,7 +24,7 @@ RUN yarn run build
 ################################################################################
 # Build stage 2 - COPY the relevant things (multiple steps)
 
-FROM node:16-alpine as clean
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 as clean
 # Import our shared args
 ARG NODE_ENV
 
@@ -36,7 +36,7 @@ COPY --from=builder /app/migrations/ /app/migrations/
 ################################################################################
 # Build stage FINAL - COPY everything, once, and then do a clean `yarn install`
 
-FROM node:16-alpine
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10
 # Import our shared args
 ARG NODE_ENV
 

diff --git a/db/Dockerfile b/db/Dockerfile
@@ -1,3 +1,3 @@
-FROM postgres:14
+FROM postgres@sha256:596e4c843a9db32269a3757624d8a6a6f633e01895acb83fe0842497fd897eb7
 
 COPY create-multiple-postgresql-databases.sh /docker-entrypoint-initdb.d/create-multiple-postgresql-databases.sh
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -15,7 +15,7 @@ services:
     ports:
       - '5432:5432'
   hedgedoc:
-    image: quay.io/hedgedoc/hedgedoc:1.9.3-alpine
+    image: quay.io/hedgedoc/hedgedoc@sha256:766663fea4e3f55cd5c1cfd12c71d5ccb258809b2b74eedd035efe0883bf0970
     environment:
       CMD_DB_URL: 'postgres://ctfnote:ctfnote@db:5432/hedgedoc'
       CMD_URL_PATH: 'pad'

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -42,7 +42,7 @@ services:
     ports:
       - 8080:80
   hedgedoc:
-    image: quay.io/hedgedoc/hedgedoc:1.9.3-alpine
+    image: quay.io/hedgedoc/hedgedoc@sha256:766663fea4e3f55cd5c1cfd12c71d5ccb258809b2b74eedd035efe0883bf0970
     environment:
       - CMD_DB_URL=postgres://ctfnote:ctfnote@db:5432/hedgedoc
       - CMD_URL_PATH=pad

diff --git a/front/Dockerfile b/front/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:16-alpine AS build-deps
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 AS build-deps
 
 RUN mkdir -p /usr/src/app
 COPY package.json quasar.conf.js .eslintrc.js .eslintignore tsconfig.json .postcssrc.js yarn.lock babel.config.js quasar.extensions.json /usr/src/app/
@@ -12,7 +12,7 @@ WORKDIR /usr/src/app
 RUN yarn build
 
 # _--------_
-FROM nginx:1.21.6-alpine
+FROM nginx@sha256:f335d7436887b39393409261603fb248e0c385ec18997d866dd44f7e9b621096
 
 RUN mkdir -p /logs