Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .ci-operator.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
build_root_image:
name: release
namespace: openshift
tag: rhel-9-release-golang-1.25-openshift-4.22
tag: rhel-9-release-golang-1.26-openshift-5.0
4 changes: 2 additions & 2 deletions Dockerfile.rhel7
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use approved production base images per container policy.

The updated FROM images are CI registry images, not UBI minimal/distroless from catalog.redhat.com as required by the Dockerfile security guideline. Please switch both stages to approved production base images (or document an explicit policy exception for this repo if CI images are intentionally mandated).

Also applies to: 8-8

🧰 Tools
🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.rhel7` at line 1, The Dockerfile uses CI registry base images (the
FROM line with "registry.ci.openshift.org/... AS builder") which violates the
container policy; update both Dockerfile stages (the "builder" stage and the
final run stage) to use approved production UBI/distroless images from
catalog.redhat.com (or another approved production registry) instead of CI
images, or add a documented policy exception in the repository explaining why CI
images are required for this build; ensure the replacement images preserve
required toolchain (Go runtime/toolchain) and adjust any build steps
accordingly.

Source: Coding guidelines

WORKDIR /go/src/github.com/openshift/service-ca-operator
COPY . .
ENV GO_PACKAGE github.com/openshift/service-ca-operator
RUN make build --warn-undefined-variables \
&& gzip service-ca-operator-tests-ext

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
COPY --from=builder /go/src/github.com/openshift/service-ca-operator/service-ca-operator /usr/bin/
COPY --from=builder /go/src/github.com/openshift/service-ca-operator/service-ca-operator-tests-ext.gz /usr/bin/
COPY manifests /manifests
Expand Down