fix(docker): patch Alpine OS-level vulnerabilities in all images

eFAILution · eFAILution · commit 0ead1b3e4213 · 2026-04-11T18:41:10.000-04:00
Added apk upgrade --no-cache to all 4 Dockerfiles to pull patched versions of Alpine system packages. Mitigates 9 CVEs: libcrypto3/libssl3: CVE-2026-28390 (HIGH), CVE-2026-31790 (MEDIUM), 5 LOW — fix: 3.5.5-r0 → 3.5.6-r0 libuuid: CVE-2026-27456 (MEDIUM) — fix: 2.41.2-r0 → 2.41.4-r0 musl: CVE-2026-40200 — fix: 1.2.5-r21 → 1.2.5-r23 Remaining vulns are in Go stdlib (v1.26.1) inside compiled binaries from trivy, grype, syft, gitleaks, actionlint. These require upstream tool authors to rebuild with Go 1.26.2 — cannot be patched by us.
diff --git a/docker/Dockerfile.bandit b/docker/Dockerfile.bandit
@@ -4,6 +4,9 @@ LABEL org.opencontainers.image.source="https://github.com/huntridge-labs/argus"
 LABEL org.opencontainers.image.description="Argus Bandit Python SAST Scanner"
 LABEL org.opencontainers.image.licenses="AGPL-3.0"
 
+# Patch OS-level vulnerabilities before anything else
+RUN apk upgrade --no-cache
+
 RUN adduser -D -u 1000 argus
 RUN pip install --no-cache-dir 'bandit[toml,sarif]==1.9.4'
 
diff --git a/docker/Dockerfile.cli b/docker/Dockerfile.cli
@@ -53,11 +53,12 @@ LABEL org.opencontainers.image.licenses="AGPL-3.0"
 
 ARG ZIZMOR_VERSION=1.23.1
 
-# ClamAV requires apk — no official static binary for Alpine
+# Install system packages and patch OS-level vulnerabilities
 RUN apk add --no-cache \
     clamav \
     clamav-libunrar \
-    git
+    git && \
+    apk upgrade --no-cache
 
 # Copy binary tools from builder
 COPY --from=builder /usr/local/bin/trivy      /usr/local/bin/trivy
diff --git a/docker/Dockerfile.opengrep b/docker/Dockerfile.opengrep
@@ -13,6 +13,9 @@ LABEL org.opencontainers.image.source="https://github.com/huntridge-labs/argus"
 LABEL org.opencontainers.image.description="Argus OpenGrep SAST Scanner"
 LABEL org.opencontainers.image.licenses="AGPL-3.0"
 
+# Patch OS-level vulnerabilities before anything else
+RUN apk upgrade --no-cache
+
 COPY --from=builder /usr/local/bin/opengrep /usr/local/bin/opengrep
 
 RUN adduser -D -u 1000 argus
diff --git a/docker/Dockerfile.supply-chain b/docker/Dockerfile.supply-chain
@@ -14,6 +14,9 @@ LABEL org.opencontainers.image.licenses="AGPL-3.0"
 
 ARG ZIZMOR_VERSION=1.23.1
 
+# Patch OS-level vulnerabilities before anything else
+RUN apk upgrade --no-cache
+
 COPY --from=builder /usr/local/bin/actionlint /usr/local/bin/actionlint
 
 RUN pip install --no-cache-dir "zizmor==${ZIZMOR_VERSION}"
