Skip to content

[TT-16951] fix: plugin compiler FIPS support + goplugin tag #8012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 15, 2026

fix: plugin compiler FIPS support + goplugin tag

ec21214
Select commit
Loading
Failed to load commit list.
Merged

[TT-16951] fix: plugin compiler FIPS support + goplugin tag #8012

fix: plugin compiler FIPS support + goplugin tag
ec21214
Select commit
Loading
Failed to load commit list.
probelabs / Visor: security failed Apr 15, 2026 in 56s

🚨 Check Failed

security check failed because fail_if condition was met.

Details

📊 Summary

  • Total Issues: 3
  • Error Issues: 3

🔍 Failure Condition Results

Failed Conditions

  • global_fail_if: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')
    • Severity: ❌ error

Issues by Category

Security (2)

  • ci/images/plugin-compiler/Dockerfile:44 - The BUILD_TAG build argument is used unquoted in the go install command, leading to a potential command injection vulnerability. A malicious value for BUILD_TAG (e.g., foo; rm -rf /) could allow arbitrary code execution during the Docker image build process. This could compromise the build environment and the source code added to the image.
  • ci/images/plugin-compiler/data/build.sh:151 - The BUILD_TAG environment variable is used unquoted in the go build command, leading to a potential command injection vulnerability. A user of the plugin compiler image could set a malicious BUILD_TAG environment variable (e.g., foo; rm -rf /) to execute arbitrary code inside the container. This could be used to compromise the plugin source code or other sensitive data in the container's environment.

Logic (1)

  • system:0 - Global failure condition met: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check failure on line 44 in ci/images/plugin-compiler/Dockerfile

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The `BUILD_TAG` build argument is used unquoted in the `go install` command, leading to a potential command injection vulnerability. A malicious value for `BUILD_TAG` (e.g., `foo; rm -rf /`) could allow arbitrary code execution during the Docker image build process. This could compromise the build environment and the source code added to the image.
Raw output 
Enclose the `-tags` argument in double quotes to prevent the shell from interpreting special characters in the `BUILD_TAG` variable.

Check failure on line 151 in ci/images/plugin-compiler/data/build.sh

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The `BUILD_TAG` environment variable is used unquoted in the `go build` command, leading to a potential command injection vulnerability. A user of the plugin compiler image could set a malicious `BUILD_TAG` environment variable (e.g., `foo; rm -rf /`) to execute arbitrary code inside the container. This could be used to compromise the plugin source code or other sensitive data in the container's environment.
Raw output 
Enclose the `-tags` argument in double quotes to prevent the shell from interpreting special characters in the `BUILD_TAG` variable.
View more details on probelabs