fix: [CI-23219]: remediate vulnerabilities in harnesssecure/github-actions#24
fix: [CI-23219]: remediate vulnerabilities in harnesssecure/github-actions#24chhawchharia wants to merge 2 commits into
Conversation
…tions - bump base image docker:dind -> docker:29.6.0-dind - bump nektos/act v0.2.61 -> v0.2.89 - update go.mod toolchain + key dependencies (go-git, x/crypto, x/net, etc.)
The vuln remediation raised the go.mod directive to `go 1.25.0`, but the .drone.yml build step still used `golang:1.22.7`. A 1.22 toolchain cannot cleanly build a 1.25 module (auto-toolchain download is fragile and fails under GOTOOLCHAIN=local), and it would compile the plugin binary with an outdated Go stdlib, re-introducing stdlib CVEs into the image. Pin the build image to the latest 1.25 patch (1.25.11), which also carries the stdlib fix for CVE-2025-47910. Co-authored-by: Cursor <cursoragent@cursor.com>
|
Closing in favor of #23 to keep a single PR for CI-23219. The one missing piece (the |
|
Reopened as the complete, verified PR for CI-23219 (supersedes #23, which is missing the Build & test
|
| Flag | v0.2.89 |
|---|---|
-W / --workflows |
present |
-P / --platform |
present |
--secret-file |
present |
--env-file |
present |
-b / --bind |
present |
--detect-event |
present |
--container-options |
present |
--actor |
present |
--eventpath |
present |
-v / --verbose |
present |
Full image build (docker/Dockerfile.linux.amd64, --platform linux/amd64)
- Base
docker:29.6.0-dindpulls;apk add ca-certificates curlOK actinstaller resolves + installs v0.2.89 for Linux/x86_64actis onPATHat/bin/act(soexec.Command("act", …)resolves)act --version→act version 0.2.89(verified on a native run; the amd64-under-QEMU run crashes, which is an emulation artifact, not a defect)- plugin binary present at
/bin/plugin
Reachable-CVE note (govulncheck)
The plugin binary has 11 reachable Go-stdlib CVEs when built with Go ≤1.25.5 (e.g. crypto/tls via cloner.Clone → git.PlainClone), all fixed by ≤1.25.9 — so the .drone.yml builder bump to golang:1.25.11 clears them.
No source changes were required; the toolchain, base-image, and act bumps are drop-in.
1 participant
Vulnerability Remediation: harnesssecure/github-actions
Fully resolves CI-23219.
This branch incorporates the dependency + base-image remediation from #23 (by the vuln-remediation bot) plus a required CI toolchain fix that #23 was missing, so it can be reviewed and merged as a single, complete, mergeable change. Supersedes #23.
Changes
docker/Dockerfile.linux.amd64FROM docker:dind→FROM docker:29.6.0-dind(latest stable dind; pins the previously-floating tag that was the source of the Alpine/openssl/git HIGHs);nektos/actv0.2.61→v0.2.89(latest release)go.mod/go.sumgodirective1.22.7→1.25.0+go get -uof flagged direct/transitive deps:golang.org/x/crypto,x/net,x/sys,x/exp;go-git/go-git/v55.13.1 → 5.19.1;go-billy/v55.6.1 → 5.9.0;ProtonMail/go-crypto1.1.3 → 1.4.1;cloudflare/circl1.3.7 → 1.6.4;cyphar/filepath-securejoin0.3.6 → 0.7.0.drone.ymlgolang:1.22.7→golang:1.25.11— required so CI can build the now-go 1.25.0module cleanly (a 1.22 toolchain fails underGOTOOLCHAIN=local), and so the compiled plugin binary ships with a patched Go stdlib (incl. CVE-2025-47910).CVE delta — Trivy (local scan)
Harness OnDemand (Snyk + PrismaCloud) collapses from thousands of paginated baseline findings to ~80 in the after image.
Verification
go build ./cmd✅go test ./...✅ (cloner + utils suites pass)go mod verify✅Residual CVEs (upstream-blocked — not introduced by this PR)
8 advisories remain after the bump:
docker:29.6.0-dindbase viadocker-compose/ctr. Nodocker:29.x-dindtag ships containerd ≥ 2.2.5 yet.actbinary —actv0.2.89 is built with Go 1.25.0; fixed only in Go 1.25.1+. Needs nektos to retag.These can only be tracked upstream; bump the base image /
actwhen fixed releases land.Refs: baseline & after OnDemand scans linked in #23.
Made with Cursor