From 15cdf44f31e6c8474d52dbd84f8735d89de7ea03 Mon Sep 17 00:00:00 2001
From: claudijd <jclaudius@jumptrading.com>
Date: Wed, 13 Jul 2022 18:44:53 -0400
Subject: [PATCH 1/4] Add docker pinning

---
 .github/workflows/docker.yaml | 2 ++
 docker/Dockerfile             | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 59dd36ea3..cce379704 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -7,6 +7,7 @@ on:
 
 env:
   SOLANA_VERSION: 1.10.29
+  SOLANA_DOCKER_IMAGE_HASH: 78900501ccd1ade1bf088fa0830c46bc6095c6799469ff9b335e1f02d957e53a
   DOCKER_HUB: docker.io
   DOCKER_USER: ${{ secrets.DOCKER_IO_USER }}
   IS_RELEASE: ${{
@@ -35,6 +36,7 @@ jobs:
           docker build \
             --file docker/Dockerfile \
             --build-arg SOLANA_VERSION="${SOLANA_VERSION}" \
+            --build-arg SOLANA_DOCKER_IMAGE_HASH="${SOLANA_DOCKER_IMAGE_HASH}" \
             --tag "${DOCKER_IMAGE}" \
             .
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 364c01d1d..3a8ced9e1 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,5 +1,6 @@
 ARG SOLANA_VERSION
-FROM solanalabs/solana:v${SOLANA_VERSION}
+ARG SOLANA_DOCKER_IMAGE_HASH
+FROM solanalabs/solana:v${SOLANA_VERSION}@sha256:${SOLANA_DOCKER_IMAGE_HASH}
 
 # Redeclare SOLANA_VERSION in the new build stage.
 # Persist in env for docker run & inspect.

From 75b76e20a37c54fb05d7e25eb10b616918584bf1 Mon Sep 17 00:00:00 2001
From: claudijd <jclaudius@jumptrading.com>
Date: Wed, 13 Jul 2022 18:47:23 -0400
Subject: [PATCH 2/4] Add ubuntu docker pin

---
 docker/fuzz/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/fuzz/Dockerfile b/docker/fuzz/Dockerfile
index 69b6b2d22..9d790424a 100644
--- a/docker/fuzz/Dockerfile
+++ b/docker/fuzz/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update

From a75b924ccff61ff5c117a66f57fae677c382e96f Mon Sep 17 00:00:00 2001
From: claudijd <jclaudius@jumptrading.com>
Date: Wed, 13 Jul 2022 18:57:07 -0400
Subject: [PATCH 3/4] Add workflow to enforce docker pinning

---
 .github/workflows/docker.yaml |  7 +++++++
 scripts/check-docker-pin.sh   | 20 ++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100755 scripts/check-docker-pin.sh

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index cce379704..78696635c 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -51,3 +51,10 @@ jobs:
             docker image push "${PUB_IMAGE}"
           }
           echo "${{ secrets.DOCKER_IO_PASS }}" | publish
+  pinning:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out source
+        uses: actions/checkout@v2
+      - run: chmod 755 ./scripts/check-docker-pin.sh
+      - run: ./scripts/check-docker-pin.sh
diff --git a/scripts/check-docker-pin.sh b/scripts/check-docker-pin.sh
new file mode 100755
index 000000000..726cd33fe
--- /dev/null
+++ b/scripts/check-docker-pin.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+# This script is checks to that all our Docker images are pinned to a specific SHA256 hash
+#
+# References as to why...
+#   - https://nickjanetakis.com/blog/docker-tip-18-please-pin-your-docker-image-versions
+#   - https://snyk.io/blog/10-docker-image-security-best-practices/ (Specifically: USE FIXED TAGS FOR IMMUTABILITY)
+#
+# Explaination of regex ignore choices
+#   - We ignore sha256 because it suggests that the image dep is pinned
+#   - We ignore scratch because it's literally the docker base image
+#   - We ignore solana AS (builder|ci_tests) because it's a relative reference to another FROM call
+#
+git ls-files | grep "Dockerfile*" | xargs grep -s "FROM" | egrep -v 'sha256|scratch'
+if [ $? -eq 0 ]; then
+   echo "[!] Unpinned docker files" >&2
+   exit 1
+else
+   echo "[+] No unpinned docker files"
+fi
\ No newline at end of file

From bbadbc261e2135d2b340601c9607ba8d97d3abac Mon Sep 17 00:00:00 2001
From: claudijd <jclaudius@jumptrading.com>
Date: Wed, 13 Jul 2022 18:58:01 -0400
Subject: [PATCH 4/4] Remove copy pasta from script

---
 scripts/check-docker-pin.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/check-docker-pin.sh b/scripts/check-docker-pin.sh
index 726cd33fe..2daef6f23 100755
--- a/scripts/check-docker-pin.sh
+++ b/scripts/check-docker-pin.sh
@@ -9,7 +9,6 @@
 # Explaination of regex ignore choices
 #   - We ignore sha256 because it suggests that the image dep is pinned
 #   - We ignore scratch because it's literally the docker base image
-#   - We ignore solana AS (builder|ci_tests) because it's a relative reference to another FROM call
 #
 git ls-files | grep "Dockerfile*" | xargs grep -s "FROM" | egrep -v 'sha256|scratch'
 if [ $? -eq 0 ]; then