akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

chore: migrate Docker base images from Alpine to Debian Trixie

Browse Source 
Migrated all Docker stages from Alpine 3.23 to Debian Trixie (13) to
address critical CVE in Alpine's gosu package and improve security
update frequency.

Key changes:

Updated CADDY_IMAGE to debian:trixie-slim
Added gosu-builder stage to compile gosu 1.17 from source with Go 1.25.6
Migrated all builder stages to golang:1.25-trixie
Updated package manager from apk to apt-get
Updated user/group creation to use groupadd/useradd
Changed nologin path from /sbin/nologin to /usr/sbin/nologin
Security impact:

Resolved gosu Critical CVE (built from source eliminates vulnerable Go stdlib)
Reduced overall CVE count from 6 (bookworm) to 2 (trixie)
Remaining 2 CVEs are glibc-related with no upstream fix available
All Go binaries verified vulnerability-free by Trivy and govulncheck
Verification:

E2E tests: 243 passed (5 pre-existing failures unrelated to migration)
Backend coverage: 87.2%
Frontend coverage: 85.89%
Pre-commit hooks: 13/13 passed
TypeScript: 0 errors
Refs: CVE-2026-0861 (glibc, no upstream fix - accepted risk)
This commit is contained in:
GitHub Actions
2026-01-18 21:01:30 +00:00
parent c46c374261
commit e0a39518ba
10 changed files with 1325 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/SUPPLY_CHAIN_VULNERABILITY_GUIDE.md
View File

@@ -69,8 +69,8 @@ This means:
# For npm packages
npm install package-name@1.25.5
# For Alpine packages (in Dockerfile)
RUN apk upgrade package-name
# For Debian packages (in Dockerfile)
RUN apt-get update && apt-get upgrade -y package-name && rm -rf /var/lib/apt/lists/*
```
3. **Test locally:**
@@ -284,7 +284,7 @@ grype db update
2. Update base images first (biggest impact):
```dockerfile
FROM alpine:3.19 # Update to latest patch version
FROM debian:bookworm-slim # Debian slim for security and glibc compatibility
```
3. Batch dependency updates:
@@ -343,7 +343,7 @@ Add to `.pre-commit-config.yaml`:
- **CVE Database**: <https://cve.mitre.org/>
- **NVD**: <https://nvd.nist.gov/>
- **Go Security**: <https://go.dev/security/>
- **Alpine Security**: <https://alpinelinux.org/security/>
- **Debian Security**: <https://www.debian.org/security/>
### Support Channels