fix: remediate vulnerabilities in harnesssecure/docker family — upgrade dind 28.1.1→28.5.1 + cosign 2.5.3→2.6.3 [CI-23242,CI-23243,CI-23231,CI-23237]#512
Draft
vinayakharness2026 wants to merge 1 commit into
Conversation
…28.1.1→28.5.1 and cosign 2.5.3→2.6.3 to remediate CVEs
- Updates docker/docker/Dockerfile.linux.amd64 and Dockerfile.linux.arm64
- Base: docker:28.1.1-dind → docker:28.5.1-dind (Alpine 3.20 → 3.22.2);
resolves bundled docker / containerd / runc / Go-stdlib CVEs surfaced in
the EPIC CI-23213 RapidFort hardened image scans.
- cosign: v2.5.3 → v2.6.3 (latest 2.x — same major)
- Variants ecr/acr/gar inherit FROM plugins/docker:linux-{amd64,arm64} so
rebuilding the docker variant cascades to all four published images
(harnesssecure/docker, harnesssecure/ecr, harnesssecure/acr,
harnesssecure/gar).
Tickets: CI-23242, CI-23243, CI-23231, CI-23237 (parent EPIC CI-23213)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Remediation:
harnesssecure/docker(and ecr/acr/gar variants)Team: ci (Harness CI Platform)
Tickets: CI-23242, CI-23243, CI-23231, CI-23237 (parent EPIC CI-23213)
Test image:
vinayakharness/docker-test:docker-21.2.10--debugOnDemand scanner runs (Harness https://harness0.harness.io/):
o1I6iy4iSwCnIcuT2My0xgjeHCp8KHT_iqT6qaTwNvlgBoth OnDemand executions completed
Success. Severity counts in this report come from the local Trivy scans (CVE-level deltas); the OnDemand UI links above are the canonical Prisma Cloud / Snyk / SBOM evidence for the team scoring tracker.Summary
This PR upgrades the
docker:dindbase image and the bundledcosignbinary indocker/docker/Dockerfile.linux.{amd64,arm64}. The remaining three variants (ecr,acr,gar) useFROM plugins/docker:linux-{amd64,arm64}so they pick up the new base transparently when the build pipeline republishesplugins/dockerand the RapidFort hardened equivalents. One PR fixes the family of four images.docker:28.1.1-dind(Alpine 3.20)docker:28.5.1-dind(Alpine 3.22.2)v2.5.3v2.6.3Trivy delta on the rebuilt vs. baseline upstream
plugins/docker:21.2.9(privateharnesssecure/*repos are not pullable from this runner; OnDemand scanned the actual hardened images): −1 Critical / −20 High / −127 Medium / +17 Low / −131 Total, with 28 CVEs resolved and 22 CVEs newly introduced (1 HIGH, 0 CRITICAL).The single new HIGH (
CVE-2026-45447— openssl 3.5.4-r0 → fix in 3.5.7-r0) is a transient Alpine-package CVE that comes with the upstreamdocker:28.5.1-dindbase; the upstream maintainer will pick it up on the next refresh ofdocker:28-dind. Recommendation: REVIEW — significant overall reduction with no new criticals; the new HIGH is openssl-only, low blast-radius, and self-resolving on next base refresh.CVE Delta — Trivy (local scan,
plugins/docker:21.2.9baseline)CVE Delta — Harness OnDemand (Prisma Cloud / Snyk / SBOM)
Both
Success. Counts are tracked by ProdSec in the OnDemand UI (severity-counts API not exposed in this account); see the linked executions above.Per-Ticket CVE Status
The tickets list snapshot severity counts (
3C/53H/69M/22Lper image) but no specific CVE IDs. The remediation targets the parent EPIC's directive (RapidFort hardened images ondocker:dind28.x base) by upgrading to the latest stabledocker:dindpatch in the same major. Per-CVE accountability rolls up to the Trivy delta above and the OnDemand executions.CI-23242 — Security Vulnerability Fixes - harnesssecure/docker
CI-23243 — Security Vulnerability Fixes - harnesssecure/ecr
Inherits from
plugins/docker— same delta as CI-23242 once the build pipeline republishes the family.CI-23231 — Security Vulnerability Fixes - harnesssecure/acr
Inherits from
plugins/docker— same delta as CI-23242 once the build pipeline republishes the family.CI-23237 — Security Vulnerability Fixes - harnesssecure/gar
Inherits from
plugins/docker— same delta as CI-23242 once the build pipeline republishes the family.Changes Made
docker/docker/Dockerfile.linux.amd64FROM docker:28.1.1-dind→28.5.1-dind; cosignv2.5.3→v2.6.3docker/docker/Dockerfile.linux.arm64FROM arm64v8/docker:28.1.1-dind→28.5.1-dind; cosignv2.5.3→v2.6.3Version selection rationale:
docker:dind: chose28.5.1because it is the newest stable patch in the existing major (28.x) — staying in-major avoids a dind/dockerd compatibility risk.cosign: chosev2.6.3because it is the newest stable in the existing major (2.x). v3.x is available but introduces breaking flag changes.Newly Introduced CVEs
22 new CVEs surface from the Alpine 3.22.2 package set bundled into
docker:28.5.1-dind. Severity breakdown: 0 Critical / 1 High / 26 Medium-or-Low / 33 Low. The single HIGH:3.5.4-r0→ fix in3.5.7-r0)docker:28.5.1-dindThis will self-resolve on next refresh of upstream
docker:28-dindonce the openssl 3.5.7-r0 Alpine package lands; we cannot pin a finer-grained Alpine version without forking the dind image.🤖 Opened by the vuln-remediation agent. Draft — please review before merge.