Skip to content

Refresh pinned Debian slim image digests#12892

Open
aldrinjenson wants to merge 1 commit into
neondatabase:mainfrom
aldrinjenson:aj/refresh-neon-debian-digests
Open

Refresh pinned Debian slim image digests#12892
aldrinjenson wants to merge 1 commit into
neondatabase:mainfrom
aldrinjenson:aj/refresh-neon-debian-digests

Conversation

@aldrinjenson

Copy link
Copy Markdown

Summary

Refresh the pinned Debian slim index digests used by the storage image, build-tools image, and compute-node image builds.

The current pinned bookworm-slim and bullseye-slim digests point at older Debian image indices. Because the final runtime images are assembled from these pinned bases, rebuilding against refreshed Debian indices should reduce stale OS package findings in downstream container scanners without changing Neon application code or Dockerfile structure.

Why

We run Neon self-hosted and container vulnerability scans flagged stale Debian base packages in the published ghcr.io/neondatabase/neon and ghcr.io/neondatabase/compute-node-v16 images. We are temporarily using derivative images that run a Debian package refresh, but the better long-term fix is for upstream Neon images to rebuild from current pinned Debian bases so downstream users do not need to maintain forks.

Validation

  • git diff --check
  • Confirmed the new Debian index digests resolve with docker buildx imagetools inspect.
  • Compared Trivy Critical/High findings on the old vs. new base image indices:
    • bookworm-slim: 2 Critical / 22 High -> 2 Critical / 10 High
    • bullseye-slim: 3 Critical / 27 High -> 3 Critical / 14 High

I did not run the full Neon image build locally because the compute image build is large; this PR only updates the pinned Debian index digest values used by the existing build flow.

@aldrinjenson aldrinjenson requested a review from a team as a code owner May 5, 2026 18:02
@aldrinjenson aldrinjenson requested review from ololobus and thesuhas May 5, 2026 18:02
@aldrinjenson

Copy link
Copy Markdown
Author

Additional context tying this PR back to the self-hosted image CVE report in #12887:

This PR addresses the Debian base-image portion of that issue. The current Dockerfiles intentionally pin Debian slim image index digests here:

  • Dockerfile
  • build-tools/Dockerfile
  • compute/compute-node.Dockerfile

Those pinned values are substituted whenever the build arg resolves to debian:bookworm-slim or debian:bullseye-slim, so the final Neon storage/control-plane image and compute-node images are built from those pinned Debian bases rather than whatever the moving tag currently points at.

How to verify the new SHAs:

# Current Docker Hub index digest for bookworm-slim
docker buildx imagetools inspect debian:bookworm-slim | sed -n '1,12p'
# Expected digest in this PR:
# sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252

# Current Docker Hub index digest for bullseye-slim
docker buildx imagetools inspect debian:bullseye-slim | sed -n '1,12p'
# Expected digest in this PR:
# sha256:1a4701c321b1d28b1ff5f0230e766791e4b79b1d4c6c7a70064f4b297b1a330f

How to verify this is related to the CVE report:

# Old pinned base image indices from main
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
  --quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
  --quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:e831d9a884d63734fe3dd9c491ed9a5a3d4c6a6d32c5b14f2067357c49b0b7e1

# New pinned base image indices from this PR
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
  --quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
  --quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:1a4701c321b1d28b1ff5f0230e766791e4b79b1d4c6c7a70064f4b297b1a330f

I saw this base-image delta locally with Trivy 0.70.0:

  • bookworm-slim: 2 Critical / 22 High -> 2 Critical / 10 High
  • bullseye-slim: 3 Critical / 27 High -> 3 Critical / 14 High

So this does not claim to fix every finding in #12887. It is a narrow first step that removes stale Debian base-layer findings when Neon rebuilds/publishes images. The remaining findings called out in #12887, such as Go/Python/runtime dependency findings and CVEs with no upstream fix, would still need separate changes or a fresh published image after those runtimes are updated.

@Pckool

Pckool commented May 6, 2026

Copy link
Copy Markdown

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants