Conversation
![wiz-d45ab51820[bot]](https://avatars.githubusercontent.com/b/12521?s=60&v=4){kind=small}
| @@ -1,4 +1,4 @@ | |||
| FROM jetpackio/devbox:latest | |||
| FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 | |||
There was a problem hiding this comment.
Missing User Instruction
on resource FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 AS jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7
More Details
This rule checks whether a `USER` instruction is specified in the Dockerfile. The rule fails when the `USER` instruction is missing, causing the container to run with root privileges (UID 0). If an attacker compromises an application running as root, they gain the privileges needed to potentially escape the container and attack the host node. It also increases the blast radius of a breach, allowing full control to modify files or install malware within the container. Enforcing a non-root user is a fundamental security measure that minimizes the attack surface and contains the impact of a potential compromise.
Expected
The Dockerfile stage should contain the 'USER' instruction
Found
The Dockerfile stage does not contain any 'USER' instruction
Rule ID: fc0144c0-d1e9-4694-bd44-8eb9cbdd9a56
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
| @@ -1,4 +1,4 @@ | |||
| FROM jetpackio/devbox:latest | |||
| FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 | |||
There was a problem hiding this comment.
Run Using Sudo
on resource FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 AS jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7.RUN sudo chown -R "${DEVBOX_USER}:${DEVBOX_USER}" /code
More Details
This rule checks whether the RUN instruction contains `sudo`. This rule fails if `command.Cmd` contains `sudo`. Using sudo in Docker can lead to security risks by granting root-level access to the container. This could potentially expose the host system to vulnerabilities. It's best to stick with user-level permissions to maintain security and consistency within Docker environments.
Expected
RUN instruction shouldn't contain sudo
Found
RUN instruction contains sudo
Rule ID: e3de5fb2-9c08-4bb8-bbe5-50a47455dfe6
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
- Add github-app config to .ci-mgmt.yaml - Use actions/create-github-app-token across all workflows - Update mise from 2025.10.16 to 2025.11.6 - Pin all actions to specific commit SHAs - Remove mise.lock file (not needed with pinned versions) - Add MISE_FETCH_REMOTE_VERSIONS_TIMEOUT config
There was a problem hiding this comment.
Pull request overview
This PR migrates CI workflows from using GITHUB_TOKEN to GitHub App-based authentication to avoid rate limiting issues, while also updating tooling and pinning all GitHub Actions to specific commit SHAs for improved security and reproducibility.
Key Changes:
- GitHub App authentication implemented across most workflows using
actions/create-github-app-token - All GitHub Actions pinned to commit SHAs instead of version tags
- Mise upgraded from version 2025.10.16 to 2025.11.6 with lockfile disabled and new configuration options
Reviewed changes
Copilot reviewed 28 out of 29 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
.ci-mgmt.yaml |
Added GitHub App configuration with app ID and private key references |
.config/mise.toml |
Updated mise configuration: disabled lockfile, upgraded versions, added new settings and plugins |
.config/mise.lock |
Removed lockfile as lockfile generation is now disabled |
.config/mise.test.toml |
Simplified test configuration by removing overrides |
.devcontainer/Dockerfile |
Pinned base image to specific SHA256 digest |
.golangci.yml |
Restructured linter configuration with simplified syntax and updated exclusions |
Makefile |
Reorganized mise-related targets (code movement, no functional changes) |
.github/workflows/*.yml (multiple) |
Added GitHub App authentication steps, pinned actions to SHAs, updated mise version, added PULUMI_PULUMI_ENABLE_JOURNALING environment variable |
.github/actions/*/action.yml (multiple) |
Updated artifact upload/download actions to v6/v7 with SHA pinning |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| id: ${{ secrets.RELEASE_APP_ID }} | ||
| private-key: ${{ secrets.RELEASE_APP_PEM }} |
There was a problem hiding this comment.
The GitHub App configuration uses secret references (RELEASE_APP_ID and RELEASE_APP_PEM) that don't match the secrets used in the workflows. The workflows reference PULUMI_PROVIDER_AUTOMATION_APP_ID and PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY from ESC secrets, not GitHub Secrets. Either the configuration needs to be updated to reference the correct secret names that will be provided by ESC, or the workflow references need to be changed to match these secret names.
| id: ${{ secrets.RELEASE_APP_ID }} | |
| private-key: ${{ secrets.RELEASE_APP_PEM }} | |
| id: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_APP_ID }} | |
| private-key: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} |
| golangci-lint = "2.6.2" # See note about about overrides if you need to customize this. | ||
| "github:pulumi/pulumictl" = '0.0.50' | ||
| "github:pulumi/schema-tools" = "0.6.0" | ||
| "aqua:gradle/gradle-distributions" = '7.6.6' |
There was a problem hiding this comment.
There's a version mismatch between the gradle version in mise configuration (7.6.6) and the gradle version used in verify-release.yml (7.6). This could lead to inconsistent builds between different workflows. The gradle versions should be aligned to ensure consistent behavior across all workflows.
| "aqua:gradle/gradle-distributions" = '7.6.6' | |
| "aqua:gradle/gradle-distributions" = '7.6' |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
| with: | ||
| persist-credentials: false |
There was a problem hiding this comment.
The checkout step has persist-credentials set to false, but the Renovate commit workflow requires git push capabilities. While the workflow uses the PULUMI_BOT_TOKEN for pushing (line 144), this may not work as expected because the local git credentials won't be properly configured without persisted credentials. Consider either setting persist-credentials to true or ensuring the GitHub App token has the necessary permissions and is properly configured for git operations.
| persist-credentials: false | |
| persist-credentials: true |
| - name: Setup mise | ||
| uses: jdx/mise-action@v3 | ||
| uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 | ||
| env: | ||
| MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s | ||
| with: | ||
| # Latest working version. See https://github.com/jdx/mise/discussions/6781 | ||
| version: 2025.10.16 | ||
| version: 2025.11.6 | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
The resync-build workflow still uses secrets.GITHUB_TOKEN for the mise setup instead of GitHub App authentication. This is inconsistent with other workflows and may still face rate limiting issues. The workflow should use GitHub App authentication similar to other workflows, with the app-auth step added before the mise setup.
| @@ -1,4 +1,4 @@ | |||
| FROM jetpackio/devbox:latest | |||
| FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 | |||
There was a problem hiding this comment.
The Dockerfile base image has been pinned to a specific SHA256 digest. However, this digest should be verified as valid for the 'latest' tag of jetpackio/devbox. If the digest is incorrect or doesn't correspond to the intended version, the container build will fail or use an unexpected image version.
| FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 | |
| FROM jetpackio/devbox:latest |
Summary
GITHUB_TOKENwith GitHub App tokens across all CI workflows to avoid rate limiting issuesChanges
actions/create-github-app-tokenadded to all workflowsgithub-appsettings added to.ci-mgmt.yamlFiles Changed
Primarily
.github/workflows/*.ymland supporting config files.