pyth-network · claudijd · Jul 14, 2022 · Jul 13, 2022 · Jul 13, 2022 · Jul 13, 2022
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -7,6 +7,7 @@ on:
 
 env:
   SOLANA_VERSION: 1.10.29
+  SOLANA_DOCKER_IMAGE_HASH: 78900501ccd1ade1bf088fa0830c46bc6095c6799469ff9b335e1f02d957e53a
   DOCKER_HUB: docker.io
   DOCKER_USER: ${{ secrets.DOCKER_IO_USER }}
   IS_RELEASE: ${{
@@ -35,6 +36,7 @@ jobs:
           docker build \
             --file docker/Dockerfile \
             --build-arg SOLANA_VERSION="${SOLANA_VERSION}" \
+            --build-arg SOLANA_DOCKER_IMAGE_HASH="${SOLANA_DOCKER_IMAGE_HASH}" \
             --tag "${DOCKER_IMAGE}" \
             .
 
@@ -49,3 +51,10 @@ jobs:
             docker image push "${PUB_IMAGE}"
           }
           echo "${{ secrets.DOCKER_IO_PASS }}" | publish
+  pinning:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out source
+        uses: actions/checkout@v2
+      - run: chmod 755 ./scripts/check-docker-pin.sh
+      - run: ./scripts/check-docker-pin.sh
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,5 +1,6 @@
 ARG SOLANA_VERSION
-FROM solanalabs/solana:v${SOLANA_VERSION}
+ARG SOLANA_DOCKER_IMAGE_HASH
+FROM solanalabs/solana:v${SOLANA_VERSION}@sha256:${SOLANA_DOCKER_IMAGE_HASH}
 
 # Redeclare SOLANA_VERSION in the new build stage.
 # Persist in env for docker run & inspect.

diff --git a/docker/fuzz/Dockerfile b/docker/fuzz/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update

diff --git a/scripts/check-docker-pin.sh b/scripts/check-docker-pin.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# This script is checks to that all our Docker images are pinned to a specific SHA256 hash
+#
+# References as to why...
+#   - https://nickjanetakis.com/blog/docker-tip-18-please-pin-your-docker-image-versions
+#   - https://snyk.io/blog/10-docker-image-security-best-practices/ (Specifically: USE FIXED TAGS FOR IMMUTABILITY)
+#
+# Explaination of regex ignore choices
+#   - We ignore sha256 because it suggests that the image dep is pinned
+#   - We ignore scratch because it's literally the docker base image
+#
+git ls-files | grep "Dockerfile*" | xargs grep -s "FROM" | egrep -v 'sha256|scratch'
+if [ $? -eq 0 ]; then
+   echo "[!] Unpinned docker files" >&2
+   exit 1
+else
+   echo "[+] No unpinned docker files"
+fi