Skip to content

TT-16964 - remove sbom job from release workflow #962

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bsten-tyk merged 5 commits into from
Apr 14, 2026
+4 −11

fix: use unpinned tags in Dockerfile.distroless per code review

c2444a0
Select commit
Loading
Failed to load commit list.
Merged

TT-16964 - remove sbom job from release workflow #962

fix: use unpinned tags in Dockerfile.distroless per code review
c2444a0
Select commit
Loading
Failed to load commit list.
probelabs / Visor: security failed Apr 14, 2026 in 46s

🚨 Check Failed

security check failed because fail_if condition was met.

Details

📊 Summary

  • Total Issues: 5
  • Critical Issues: 1
  • Error Issues: 3
  • Warning Issues: 1

🔍 Failure Condition Results

Failed Conditions

  • global_fail_if: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')
    • Severity: ❌ error

Issues by Category

Security (3)

  • 🚨 .github/workflows/release.yml:516 - The Software Bill of Materials (SBOM) generation job has been removed from the release workflow. SBOMs are a critical component of software supply chain security, providing visibility into dependencies and potential vulnerabilities. Removing this step significantly degrades the security posture of the release process and should be considered a critical regression.
  • ci/Dockerfile.distroless:3 - The base Docker image debian:trixie-slim is no longer pinned to a specific SHA256 digest. Using a floating tag (like trixie-slim) makes the build non-reproducible and vulnerable to tag mutation attacks, where the tag could be maliciously updated to point to a compromised image.
  • ci/Dockerfile.distroless:12 - The base Docker image gcr.io/distroless/static-debian12:nonroot is no longer pinned to a specific SHA256 digest. Using a floating tag makes the build non-reproducible and vulnerable to tag mutation attacks, where the tag could be maliciously updated to point to a compromised image.

Architecture (1)

  • ⚠️ .github/workflows/ci-test.yml:67 - The goimports command was changed from go run ... -l . to go install .... The original command checked for formatting issues and would fail the build if any were found. The new command only installs the tool, effectively disabling the formatting check at this stage of the CI pipeline.

Logic (1)

  • system:0 - Global failure condition met: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check failure on line 522 in .github/workflows/release.yml

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The Software Bill of Materials (SBOM) generation job has been removed from the release workflow. SBOMs are a critical component of software supply chain security, providing visibility into dependencies and potential vulnerabilities. Removing this step significantly degrades the security posture of the release process and should be considered a critical regression.
Raw output 
The underlying permissions issue that caused the job to fail should be resolved instead of removing the job entirely. The `sbom` job requires `id-token: write` permission, which can be granted specifically to this job by adding a `permissions` block within the job definition. This restores the security control while fixing the workflow.

Check failure on line 3 in ci/Dockerfile.distroless

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The base Docker image `debian:trixie-slim` is no longer pinned to a specific SHA256 digest. Using a floating tag (like `trixie-slim`) makes the build non-reproducible and vulnerable to tag mutation attacks, where the tag could be maliciously updated to point to a compromised image.
Raw output 
To ensure build integrity and security, pin the base image to a multi-platform manifest list digest. You can find the correct digest using a command like `docker buildx imagetools inspect debian:trixie-slim` and then append it to the image name (e.g., `debian:trixie-slim@sha256:...`).

Check failure on line 12 in ci/Dockerfile.distroless

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The base Docker image `gcr.io/distroless/static-debian12:nonroot` is no longer pinned to a specific SHA256 digest. Using a floating tag makes the build non-reproducible and vulnerable to tag mutation attacks, where the tag could be maliciously updated to point to a compromised image.
Raw output 
To ensure build integrity and security, pin the base image to a multi-platform manifest list digest. You can find the correct digest using a command like `docker buildx imagetools inspect gcr.io/distroless/static-debian12:nonroot` and then append it to the image name (e.g., `gcr.io/distroless/static-debian12:nonroot@sha256:...`).

Check warning on line 67 in .github/workflows/ci-test.yml

See this annotation in the file changed.

@probelabs probelabs / Visor: security

architecture Issue 

The `goimports` command was changed from `go run ... -l .` to `go install ...`. The original command checked for formatting issues and would fail the build if any were found. The new command only installs the tool, effectively disabling the formatting check at this stage of the CI pipeline.
Raw output 
Restore the formatting check. After installing the tool, add a step to run it with the `-l` flag and fail the job if it produces any output. This ensures that code formatting is consistently enforced.
View more details on probelabs