From a87fe2b86d4b70e9626b4c25bccd3050bc7bb766 Mon Sep 17 00:00:00 2001
From: Jonathan Claudius <jc@asymmetric.re>
Date: Tue, 29 Jul 2025 22:02:21 -0400
Subject: [PATCH] security: require pinned docker images (#3799)

Co-authored-by: Jonathan Claudius <claudijd@Mac.localdomain>
---
 .github/workflows/no-unpinned-docker.yaml | 15 +++++++++++++++
 docker/build/Dockerfile                   |  2 +-
 docker/check-docker-pin.sh                | 18 ++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/no-unpinned-docker.yaml
 create mode 100755 docker/check-docker-pin.sh

diff --git a/.github/workflows/no-unpinned-docker.yaml b/.github/workflows/no-unpinned-docker.yaml
new file mode 100644
index 000000000..026d5ae6f
--- /dev/null
+++ b/.github/workflows/no-unpinned-docker.yaml
@@ -0,0 +1,15 @@
+name: No Unpinned Docker Images
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out source
+        uses: actions/checkout@v4
+      - run: chmod 755 ./docker/check-docker-pin.sh
+      - run: ./docker/check-docker-pin.sh
\ No newline at end of file
diff --git a/docker/build/Dockerfile b/docker/build/Dockerfile
index 7eca227a7..75283d2a6 100644
--- a/docker/build/Dockerfile
+++ b/docker/build/Dockerfile
@@ -4,7 +4,7 @@
 # is released on GitHub.
 #
 
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:1ec65b2719518e27d4d25f104d93f9fac60dc437f81452302406825c46fcc9cb
 
 ARG DEBIAN_FRONTEND=noninteractive
 
diff --git a/docker/check-docker-pin.sh b/docker/check-docker-pin.sh
new file mode 100755
index 000000000..51c8f33ca
--- /dev/null
+++ b/docker/check-docker-pin.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# This script checks that all our Docker images are pinned to a specific SHA256 hash.
+#
+# References as to why...
+#   - https://nickjanetakis.com/blog/docker-tip-18-please-pin-your-docker-image-versions
+#   - https://snyk.io/blog/10-docker-image-security-best-practices/ (Specifically: USE FIXED TAGS FOR IMMUTABILITY)
+#
+# Explanation of regex ignore choices
+#   - We ignore sha256 because it suggests that the image dep is pinned
+
+git ls-files -z | grep -z "Dockerfile*" | xargs -r -0 grep -s "FROM" | egrep -v 'sha256'
+if [ $? -eq 0 ]; then
+   echo "[!] Unpinned docker files" >&2
+   exit 1
+else
+   echo "[+] No unpinned docker files"
+fi
\ No newline at end of file