Update registry.redhat.io/openshift4/ose-must-gather-rhel9 Docker digest to 7658453 main#2072
Conversation
WalkthroughThe ChangesMust-gather Builder Base Image Digest Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
4283131 to
c605733
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kannon92, red-hat-konflux[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
c605733 to
dc8e84f
Compare
|
/lgtm |
…est to 7658453 main Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
dc8e84f to
9c9d897
Compare
|
New changes are detected. LGTM label has been removed. |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
must-gather/Dockerfile (1)
3-38: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winRun the final image as a non-root user.
The runtime stage never switches away from root, so this image violates the repo's Dockerfile security requirement and Trivy's DS-0002 finding. Add a
USERbeforeCMDand keep the copied scripts executable for that UID.As per path instructions, Dockerfiles should never run as root; static analysis already flags the missing
USER.Suggested fix
COPY must-gather/collection-scripts/gather /usr/bin/gather COPY must-gather/collection-scripts/gather-kueue /usr/bin/gather-kueue RUN chmod +x /usr/bin/gather /usr/bin/gather-kueue +USER 1001 CMD ["/bin/bash", "/usr/bin/gather"]🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@must-gather/Dockerfile` around lines 3 - 38, The runtime stage in the must-gather Dockerfile still runs as root, which triggers the security finding. Update the final image setup by switching to a non-root USER before the CMD instruction, and make sure the copied entry scripts (/usr/bin/gather and /usr/bin/gather-kueue) remain executable for that user. Use the existing COPY and RUN chmod steps in the runtime stage to keep the binaries accessible after the USER change.Sources: Path instructions, Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@must-gather/Dockerfile`:
- Around line 3-38: The runtime stage in the must-gather Dockerfile still runs
as root, which triggers the security finding. Update the final image setup by
switching to a non-root USER before the CMD instruction, and make sure the
copied entry scripts (/usr/bin/gather and /usr/bin/gather-kueue) remain
executable for that user. Use the existing COPY and RUN chmod steps in the
runtime stage to keep the binaries accessible after the USER change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 72c9682d-8f53-4e3e-87d6-4a5566793337
📒 Files selected for processing (1)
must-gather/Dockerfile
|
@red-hat-konflux[bot]: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR contains the following updates:
058e4cf→7658453Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.
Summary by CodeRabbit