[TT-16946][TT-16950][TT-16951] feat(ci): FIPS base image for FIPS Docker builds + Go 1.25

[buger]

$(gh pr view 963 --repo TykTechnologies/tyk-pump --json body -q .body)

Related Tickets

• https://tyktech.atlassian.net/browse/TT-16946
• https://tyktech.atlassian.net/browse/TT-16950
• https://tyktech.atlassian.net/browse/TT-16951

[probelabs]

This PR updates the CI/CD pipeline to support Go 1.25, introduces a new FIPS-compliant base image, and enhances the security of the build process.

Key changes include:

• Go 1.25 FIPS Support: The FIPS build process is updated to use the GOFIPS140=v1.0.0 environment variable, aligning with the official FIPS support in Go 1.25. This replaces the previous GOEXPERIMENT=boringcrypto and boringcrypto build tags.
• New FIPS Base Image: FIPS Docker images are now built using the standardized tykio/dhi-busybox:1.37-fips base image.
• VEX Attestation: A new step is added to the release workflow to attach Vulnerability Exploitability eXchange (VEX) data to the FIPS container image using docker scout and cosign, improving supply chain security.
• CI/CD Enhancements: The standard distroless base image is upgraded to Debian 13, a dep-guard job is added for dependency checking, and CI runner selection is now managed by a central ${{ vars.DEFAULT_RUNNER }} variable.

Files Changed Analysis

• .github/workflows/release.yml: This file contains the most significant changes. A dep-guard job is added, runner configurations are centralized, and the FIPS Docker build process is overhauled. New steps for cosign installation and VEX attestation are introduced. Notably, the s390x architecture is removed from the standard Docker build platforms.
• ci/goreleaser/goreleaser.yml: The GoReleaser configuration is updated to use the GOFIPS140 flag for FIPS builds. In contrast to the workflow change, it adds s390x as a target architecture for FIPS .deb and .rpm package builds.
• ci/Dockerfile.distroless: This Dockerfile is now parameterized to accept a BASE_IMAGE argument, making it reusable for both standard and FIPS builds. The default base image is updated to gcr.io/distroless/static-debian13:nonroot.
• ci/Dockerfile.std: The base image tag is updated to debian:trixie-slim, and the SHA256 pin is removed.

Architecture & Impact Assessment

• What this PR accomplishes: It aligns the project's FIPS compliance with the official Go 1.25 toolchain, standardizes the FIPS build environment, and enhances the security posture of the released container images through VEX attestations.

• Key technical changes introduced:

  • Transition from GOEXPERIMENT=boringcrypto to the stable GOFIPS140=v1.0.0 flag for FIPS builds.
  • Introduction of cosign and docker scout for VEX attestation, adding a layer of supply chain security.
  • Parameterization of the distroless Dockerfile to support different base images via build arguments.

• Affected system components: The changes are confined to the CI/CD pipeline and build configurations. The application's runtime code is not directly modified, but FIPS builds will now be compiled using the FIPS-validated cryptographic libraries from the Go 1.25 toolchain.

FIPS Build and Attestation Flow

flowchart TD
    subgraph "GitHub Release Workflow"
        A[Push Tag] --> B(GoReleaser Job)
        B --> C{Build Type?}
        C -->|FIPS| D[Build with GOFIPS140=v1.0.0]
        D --> E[Package .deb/.rpm for amd64, arm64, s390x]
        E --> F[Build FIPS Docker Image]
        F -- Uses --> G[Base: tykio/dhi-busybox:1.37-fips]
        F --> H[Push Image to Registry]
        H --> I[Attach VEX Attestation]
        I -- Uses --> J[docker scout & cosign]
    end

Loading

Scope Discovery & Context Expansion

• The changes are focused on the build and release process. The use of the fips build tag in ci/goreleaser/goreleaser.yml implies conditional compilation within the application source, likely in a file such as pumps/fips.go, to enable FIPS-specific logic.
• The move to a shared FIPS base image (tykio/dhi-busybox) and a centralized runner variable (vars.DEFAULT_RUNNER) suggests these changes are part of a broader organizational initiative to standardize CI/CD practices.
• There is an architectural inconsistency regarding the s390x platform: it has been removed from the standard Docker build platforms in release.yml but added to the GoReleaser configuration for FIPS package builds. This may require clarification to ensure consistent platform support.

Metadata

• Review Effort: 3 / 5
• Primary Label: feature

---

Powered by Visor from Probelabs

Last updated: 2026-04-14T15:12:09.383Z | Triggered by: pr_updated | Commit: af9abcc

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

\n\n

---

Powered by Visor from Probelabs

Last updated: 2026-04-14T15:11:16.762Z | Triggered by: pr_updated | Commit: af9abcc

💡 TIP: You can chat with Visor using /visor ask <your question>

[sonarqubecloud]

Quality Gate failed

Failed conditions
3 Security Hotspots

See analysis details on SonarQube Cloud