ENG-56250 Pin ghcr.io/willthames/kubernetes-validate Docker tag to b79e243#10
ENG-56250 Pin ghcr.io/willthames/kubernetes-validate Docker tag to b79e243#10skedulo-renovate[bot] wants to merge 1 commit intomainfrom
Conversation
📝 WalkthroughSummary by CodeRabbit
WalkthroughUpdates the Dockerfile to pin the kubernetes-validate base image reference from a tag (v1.35.0) to a specific digest (sha256) for immutability, replacing the tag-based reference with its corresponding digest hash. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related issues
Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 6✅ Passed checks (6 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
Dockerfile (1)
3-7:⚠️ Potential issue | 🟠 MajorRun the container as a non-root user.
The image runs as root by default, which is a security posture gap. Consider adding a non-root user and switching to it after setup.
🔒 Suggested hardening
RUN apk add sed +RUN addgroup -S app && adduser -S -G app app -COPY entrypoint.sh /entrypoint.sh +COPY --chown=app:app entrypoint.sh /entrypoint.sh +USER app + ENTRYPOINT ["/entrypoint.sh"]
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
Dockerfile
🧰 Additional context used
🪛 Trivy (0.69.1)
Dockerfile
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🔇 Additional comments (1)
Dockerfile (1)
1-1: Digest pin looks good.Pinning the base image to a digest improves immutability and repeatability.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
This PR contains the following updates:
b79e243Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.