LearningCircuit ea73116db6 feat: add CI validation for Docker image SHA digest pinning ...

Add comprehensive validation to enforce SHA256 digest pinning across all
Docker image references (Dockerfiles, docker-compose, and workflow files).

New Files:
- .github/scripts/validate-docker-compose-images.sh
  Bash script that validates docker-compose.yml files for unpinned images.
  Allows documented exceptions for own images and templates.

- .github/scripts/validate-workflow-images.py
  Python script with proper YAML parsing to validate GitHub Actions
  workflow service containers and container images.

- .github/workflows/validate-image-pinning.yml
  CI workflow that runs both validators on PR changes. Provides clear
  error messages and fix instructions when violations are found.

Why This Matters:
Image tags are mutable and can be reassigned to malicious images in supply
chain attacks. SHA256 digests are immutable cryptographic identifiers that
guarantee the exact same image bytes every deployment.

This validation:
- Blocks PRs with unpinned images
- Shows violations directly in PR checks (not just Security tab)
- Provides clear fix instructions
- Runs efficiently (only on relevant file changes)

Complements:
- PR #1184 (pins Dockerfile and workflow images)
- PR #1218 (pins docker-compose images)

2025-12-03 12:35:09 +01:00

5.0 KiB

Executable File

Raw Blame History

View Raw