Kairos init#485
Open
Dr-N00B wants to merge 46 commits into
Open
Conversation
* add iso-disk-image target * use earthly to build iso disk image for testing * workaround using earthly for testing * fix with workaroung * feat: support comma separated k8s version in provider images * fix: k8s version in produced image tag * iso fix in iso-disk-image target * fix: setting BASE_K8S_VERSION correctly * fix iso-disk-image target * remove debug statements
* add support for cloud images * fix cloud image build * add * update readme * add user-data example * readme --------- Co-authored-by: Akhilesh Verma <akhlesh.vermaofc@gmail.com> Co-authored-by: Nianyu Shen <xiaoyu9964@gmail.com> Co-authored-by: Akhilesh Verma <akhilesh@spectrocloud.com>
* PE-7685: install rsyslog and logrotate in slem (#484) * Change logging to syslog for ubuntu (#493) * Update PE_VERSION to v4.8.1 (#495) * Add FIPS-compliant SSH configuration Create a new configuration file for SSHD that prioritizes higher-performance FIPS algorithms, specifying preferred ciphers, key exchange algorithms, and MACs. * reordering host key Algos for fips --------- Co-authored-by: Zulfihar Ali Ahamed <zulfi@spectrocloud.com> Co-authored-by: Santhosh <santhosh@spectrocloud.com>
…into kairos-init
…ake.hcl - Introduced docker-bake-common.hcl to centralize common variables such as KAIROS_VERSION, ARCH, and FIPS_ENABLED. - Updated docker-bake.hcl to reference these variables, reducing redundancy. - Adjusted Makefile to include new cloud image and MAAS image targets. - Enhanced Dockerfiles to utilize bind mounts for improved context handling and reduced image size. - Added Dockerfile for cloud-image-tools to support disk operations and content partitioning.
* Add slem base image build to base images github action * Simplify action * Fix stage name * Update kairos init
Bump the pinned kairos-init image to v0.8.11 across all Dockerfiles, the docker-bake variables, and the base-images workflow default. Also brings the previously drifting references (base-images.yaml at v0.7.1 and slem/Dockerfile at v0.8.5) back in sync.
![bulwark-spectrocloud[bot]](https://avatars.githubusercontent.com/u/36211249?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary
| Severity | Count |
|---|---|
| High | 19 |
| Total | 19 |
Details
Grouped by audit rule and file. Line/column refer to the workflow or action YAML on the scanned branch.
dangerous-triggers — High
use of fundamentally insecure workflow trigger
File: .github/workflows/backport.yaml
Fix guidance: https://docs.zizmor.sh/audits/#dangerous-triggers
Locations:
- Line 2–4 (cols 0–32) — pull_request_target is almost always used insecurely
unpinned-uses — High
unpinned action reference
File: .github/workflows/backport.yaml
Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses
Locations:
- Line 19 (cols 14–53) — expression
sorenlouv/backport-github-action@v9.5.1— action is not pinned to a hash (required by blanket policy)
template-injection — High (12 similar finding(s))
code injection via template expansion
File: .github/workflows/base-images.yaml
Fix guidance: https://docs.zizmor.sh/audits/#template-injection
Locations:
- Line 50–108 (cols 8–13) — this step
- Line 57 (cols 31–64) — expression
github.event.inputs.base_os_image— may expand into attacker-controllable code - Line 52 (cols 8–11) — this run block
- Line 58 (cols 33–68) — expression
github.event.inputs.registry_prefix— may expand into attacker-controllable code - Line 59 (cols 22–46) — expression
github.event.inputs.arch— may expand into attacker-controllable code - Line 60 (cols 23–48) — expression
github.event.inputs.model— may expand into attacker-controllable code - Line 61 (cols 32–66) — expression
github.event.inputs.kairos_version— may expand into attacker-controllable code - Line 62 (cols 30–62) — expression
github.event.inputs.trusted_boot— may expand into attacker-controllable code - …and 8 more location(s) in this file.
unpinned-uses — High (5 similar finding(s))
unpinned action reference
File: .github/workflows/base-images.yaml
Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses
Locations:
- Line 119 (cols 14–33) — expression
actions/checkout@v4— action is not pinned to a hash (required by blanket policy) - Line 122 (cols 14–43) — expression
docker/setup-buildx-action@v3— action is not pinned to a hash (required by blanket policy) - Line 128 (cols 14–35) — expression
docker/bake-action@v6— action is not pinned to a hash (required by blanket policy) - Line 150 (cols 14–40) — expression
actions/upload-artifact@v4— action is not pinned to a hash (required by blanket policy) - Line 162 (cols 14–42) — expression
actions/download-artifact@v4— action is not pinned to a hash (required by blanket policy)
Please review these findings before merging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pending: