release: image CVE hardening — x/crypto 0.52.0 + Go 1.25.11 builder#89
Merged
Conversation
….25 — clears 20 HIGH image CVEs A trivy scan of the built broker image (new container-scan gate on the private GitLab CI; GitHub CI has no image-level CVE gate) found 20 HIGH CVEs in the Go binary. All 20 had upstream fixes published — we bump them ourselves rather than wait. Two CVE groups, two fixes: 1. golang.org/x/crypto v0.48.0 -> v0.52.0 (8 HIGH, all in x/crypto/ssh: CVE-2026-39827/-39828/-39829/-39830/-39832/-39835, CVE-2026-42508, CVE-2026-46595/-46597). Pulls x/sys v0.41.0 -> v0.45.0 and raises the go.mod 'go' directive 1.24.0 -> 1.25.0 (x/crypto's minimum). 2. Dockerfile builder golang:1.24-alpine -> golang:1.25-alpine, digest-pinned per project convention (new digest ships Go 1.25.11). Clears 12 HIGH stdlib CVEs (net/url, crypto/x509, crypto/tls, net, HTTP/2, net/mail, mime: CVE-2026-25679, -27145, -32280/-32281/-32283, -33811/-33814, -39820, -39836, -42499, -42504). Root cause of the stdlib exposure: official golang images set GOTOOLCHAIN=local, so go.mod's 'toolchain go1.25.11' directive (bumped 2026-06-29) was silently ignored inside Docker builds — the shipped binary was still built against the image's Go 1.24.13 stdlib. The builder tag must track the toolchain directive; a Dockerfile comment now documents the trap. Local acceptance before push: go build ./cmd/broker ./cmd/awrit OK, go test -short -count=1 ./... all packages ok, gofmt clean. The public Docker Hub image refreshes on the next release merge. Co-authored-by: Claude <noreply@anthropic.com>
fix(security): clear 20 HIGH image CVEs — x/crypto 0.52.0 + Go 1.25.11 builder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This release merge lands one fix on
main: a bump of two dependency chains that clears 20 HIGH-severity CVEs found in the built broker container image.What was exposed: A new trivy container-scan gate (private GitLab CI — GitHub CI has no image-level CVE gate) scanned the built broker Docker image and found 20 HIGH CVEs baked into the shipped binary:
golang.org/x/crypto/ssh(CVE-2026-39827, -39828, -39829, -39830, -39832, -39835, -42508, -46595, -46597)What this clears: All 20 HIGH CVEs, via two fixes:
golang.org/x/cryptobumpedv0.48.0 -> v0.52.0(pullsx/sys v0.41.0 -> v0.45.0, raises thego.modgodirective1.24.0 -> 1.25.0).golang:1.24-alpine -> golang:1.25-alpine(digest-pinned, ships Go 1.25.11).Root cause worth understanding: the official
golangDocker images setGOTOOLCHAIN=local, so thego.modtoolchain go1.25.11directive was silently ignored during Docker builds — the shipped binary was still compiled against the base image's Go 1.24.13 standard library even though local/CI builds correctly picked up 1.25.11. The Dockerfile builder tag has to explicitly track the toolchain directive; this was invisible until the image-level scan caught it. A comment now documents the trap in the Dockerfile.Business impact: the public Docker Hub image (
devonartis/agentwrit) currently in circulation still carries all 20 CVEs. This release merge triggersrelease.ymlon push tomain, which rebuilds and republishesdevonartis/agentwrit:latest(andmain-<sha>), cosign-signed, with the fix baked in. No action needed from operators beyond re-pulling the image after this lands.Commits since last release (91fd17b, PR #86)
65b90dbfix(security): bump x/crypto 0.48.0->0.52.0 and builder Go image to 1.25 — clears 20 HIGH image CVEs4920f10Merge pull request fix(security): clear 20 HIGH image CVEs — x/crypto 0.52.0 + Go 1.25.11 builder #88 from devonartis/fix/image-cve-bumpVerification already done (pre-merge, on develop)
go build ./cmd/broker ./cmd/awrit— OKgo test -short -count=1 ./...— all packages passgofmt— cleandeveloppush-trigger CI (CI + CodeQL) — greenTest plan
gh pr merge --merge(no squash/rebase — preserve merge commit)mainpush-trigger CI passesrelease.yml(Docker Hub publish) runs and cosign-signs the new imagescorecard.yml --ref mainpost-release