Skip to content

fix: bump Go to 1.25.11 + auto-trigger dependency-image build [DEVX-3134]#30

Open
Hammond95 wants to merge 2 commits into
masterfrom
bump-go-1.25.11-cve-fix
Open

fix: bump Go to 1.25.11 + auto-trigger dependency-image build [DEVX-3134]#30
Hammond95 wants to merge 2 commits into
masterfrom
bump-go-1.25.11-cve-fix

Conversation

@Hammond95

@Hammond95 Hammond95 commented Jul 1, 2026

Copy link
Copy Markdown

Proposed changes

Two related changes for the linux-bench-dependency image (consumed by secure-backend's compliance-benchmark-runner via LINUX_BENCH_TAG), mirroring what was done for kube-bench (aquasecurity#50 + aquasecurity#51):

1. Bump Go 1.25.10/1.25.9 → 1.25.11 (the CVE fix)

The dependency image embeds a linux-bench binary built with Go 1.25.10, failing the Sysdig secure-components-vuln-check policy on two HIGH, network-vector, fixable Go runtime CVEs:

Verified by scanning the built compliance-benchmark-runner: after bumping KUBE_BENCH_TAG to the fixed 1.2.0.7, the runner still reported Go 1.25.10, traced to the linux-bench binary from linux-bench-dependency:1.1.0.14.

File Change
Dockerfile golang:1.25.10 → 1.25.11 (builds the linux-bench-dependency image via make build-dependency-image-gar --file Dockerfile)
Dockerfile_linux_arm64 / Dockerfile_linux_s390x golang:1.25.9 → 1.25.11
go.mod go 1.25.9 → 1.25.11
.github/workflows/build.yml / release.yml go-version: 1.25.9 → 1.25.11

2. Auto-trigger the dependency-image build on tag push

Adds .github/workflows/build-dependency-image.yml: on push of a 4-part numeric dependency tag (e.g. 1.1.0.15), it triggers the secure/compliance/compliance-linux-bench Jenkins job with TAG=<tag>, which builds and publishes linux-bench-dependency:<tag> to GAR (registry tag == git tag, 1:1). Removes the manual Jenkins trigger step. Same pattern as kube-bench#51 (tools-runner + draios/jenkins-job-trigger-action).

Requires before the workflow can run

The trigger step needs the org Jenkins secrets granted to this repo — done in draios/infra-config-github (companion PR). Also assumes the tools-runner self-hosted runner group is available to draios/linux-bench.

Follow-up (after merge)

  1. Merge → push a 1.1.0.15 tag → workflow publishes linux-bench-dependency:1.1.0.15.
  2. secure-backend #57203 bumps LINUX_BENCH_TAG=1.1.0.15 → compliance scan passes.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (CI automation)

🤖 Generated with Claude Code

The linux-bench-dependency image (built from Dockerfile with golang:1.25.10)
embeds a linux-bench binary affected by two HIGH, network-vector, fixable Go
runtime CVEs, which fails the Sysdig "secure-components-vuln-check" policy on
the downstream compliance-benchmark-runner image:

- CVE-2026-27145 (fixed in Go 1.25.11)
- CVE-2026-42504 (fixed in Go 1.25.11)

Bump all Go references to 1.25.11:
- Dockerfile (the builder for linux-bench-dependency) 1.25.10 -> 1.25.11
- Dockerfile_linux_arm64 / Dockerfile_linux_s390x 1.25.9 -> 1.25.11
- go.mod language version 1.25.9 -> 1.25.11
- CI setup-go (build.yml, release.yml) 1.25.9 -> 1.25.11

Mirrors the kube-bench fix (draios/kube-bench#50). After this merges, the
compliance-linux-bench Jenkins job must rebuild and publish a new
linux-bench-dependency tag, which secure-backend then pins via LINUX_BENCH_TAG.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Hammond95 Hammond95 requested a review from a team as a code owner July 1, 2026 11:55
Mirror the kube-bench automation: on push of a 4-part numeric dependency tag,
trigger the compliance-linux-bench Jenkins job with TAG=<tag>, which builds
and publishes linux-bench-dependency:<tag> to GAR (registry tag == git tag).

Registry tags are immutable, so each newly pushed tag is a fresh release by
construction — no bump/collision handling needed here. Uses the org-standard
tools-runner + draios/jenkins-job-trigger-action + JENKINS_INTERNAL_URL /
JENKINS_QA_API_USER / JENKINS_QA_API_TOKEN secrets.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Hammond95 Hammond95 changed the title fix: bump Go to 1.25.11 to clear HIGH CVEs in linux-bench-dependency [DEVX-3134] fix: bump Go to 1.25.11 + auto-trigger dependency-image build [DEVX-3134] Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants