fix(docker): pin base images to SHA256 digests (#7734)

mirror of https://github.com/moltbot/moltbot.git synced 2026-03-07 22:44:16 +00:00

* fix(docker): pin base images to SHA256 digests for supply chain security

Pin all 9 Dockerfiles to immutable SHA256 digests to prevent supply chain
attacks where a compromised upstream image could be silently pulled into
production builds.

Also add Docker ecosystem to Dependabot configuration for automated
digest updates.

Images pinned:
- node:22-bookworm@sha256:cd7bcd2e7a1e6f72052feb023c7f6b722205d3fcab7bbcbd2d1bfdab10b1e935
- node:22-bookworm-slim@sha256:3cfe526ec8dd62013b8843e8e5d4877e297b886e5aace4a59fec25dc20736e45
- debian:bookworm-slim@sha256:98f4b71de414932439ac6ac690d7060df1f27161073c5036a7553723881bffbe
- ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b

Fixes #7731

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test(docker): add digest pinning regression coverage

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

This commit is contained in:

Coy Geek

2026-02-19 12:42:07 -08:00

committed by

GitHub

parent e98ccc8e17

commit 8ae2d5110f

11 changed files with 83 additions and 9 deletions

									
										2

Dockerfile
									
												View File
												
				@@ -1,4 +1,4 @@

				FROM node:22-bookworm

				FROM node:22-bookworm@sha256:cd7bcd2e7a1e6f72052feb023c7f6b722205d3fcab7bbcbd2d1bfdab10b1e935

				# Install Bun (required for build scripts)

				RUN curl -fsSL https://bun.sh/install | bash

fix(docker): pin base images to SHA256 digests (#7734)

2 Dockerfile Unescape Escape View File

2

Dockerfile

View File