Skip to content

Add docker images built using FIPS binaries #894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ilijabojanovic merged 6 commits into from
Sep 23, 2025

Merge branch 'master' into TT-15334/docker-fips

571a7c4
Select commit
Loading
Failed to load commit list.
Merged

Add docker images built using FIPS binaries #894

Merge branch 'master' into TT-15334/docker-fips
571a7c4
Select commit
Loading
Failed to load commit list.
probelabs / Visor: performance succeeded Sep 23, 2025 in 4m 31s

✅ Check Passed

performance check completed successfully with no issues found.

Details

📊 Summary

  • Total Issues: 2

🐛 Issues by Category

⚡ Performance (2)

  • ℹ️ ci/goreleaser/goreleaser.yml:15 - The introduction of GOEXPERIMENT=boringcrypto and the fips,boringcrypto build tags switches the underlying cryptographic implementation to BoringSSL for the FIPS build. This will alter the performance characteristics of cryptographic functions compared to the standard Go crypto library. While this is necessary for FIPS compliance, it's important to be aware of the potential performance shift.
  • ℹ️ .github/workflows/release.yml:60 - Adding steps to build and push FIPS-compliant Docker images will increase the overall execution time of the release workflow. This is an expected trade-off for supporting an additional build artifact.

Generated by Visor - AI-powered code review

Annotations

Check notice on line 15 in ci/goreleaser/goreleaser.yml

See this annotation in the file changed.

@probelabs probelabs / Visor: performance

performance Issue 

The introduction of `GOEXPERIMENT=boringcrypto` and the `fips,boringcrypto` build tags switches the underlying cryptographic implementation to BoringSSL for the FIPS build. This will alter the performance characteristics of cryptographic functions compared to the standard Go crypto library. While this is necessary for FIPS compliance, it's important to be aware of the potential performance shift.
Raw output 
If cryptographic performance is a critical aspect of the service, consider benchmarking the FIPS-enabled binary against the standard version to quantify any differences and ensure they are within acceptable limits.

Check notice on line 124 in .github/workflows/release.yml

See this annotation in the file changed.

@probelabs probelabs / Visor: performance

performance Issue 

Adding steps to build and push FIPS-compliant Docker images will increase the overall execution time of the release workflow. This is an expected trade-off for supporting an additional build artifact.
Raw output 
The workflow correctly utilizes GitHub Actions caching (`cache-from: type=gha`, `cache-to: type=gha,mode=max`), which is a best practice that helps mitigate the increased build time by reusing cached layers from previous runs. No immediate action is required, but it's good to monitor the pipeline's duration.
View more details on probelabs