From f953da340e5e65538b180cb014132f54523a465c Mon Sep 17 00:00:00 2001 From: "Jose I. Paris" Date: Tue, 14 Apr 2026 12:46:47 +0200 Subject: [PATCH] update skill Signed-off-by: Jose I. Paris --- .../skills/vulnerability-remediation/SKILL.md | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/.claude/skills/vulnerability-remediation/SKILL.md b/.claude/skills/vulnerability-remediation/SKILL.md index 33552a505..9343e8eaf 100644 --- a/.claude/skills/vulnerability-remediation/SKILL.md +++ b/.claude/skills/vulnerability-remediation/SKILL.md @@ -80,8 +80,8 @@ The binary path (e.g. `/atlas`, `/app`) tells you which binary inside the image **Source file**: `app/controlplane/Dockerfile.migrations` **Fix procedure**: -1. Check the current atlas version in the comment at the top of the Dockerfile (e.g. `# atlas version v1.1.0`) -2. Find the latest available version: +1. Check the current atlas version in the comment at the top of the Dockerfile (e.g. `# atlas version v1.2.0`) +2. Find the latest available stable version: ```bash curl -s "https://registry.hub.docker.com/v2/repositories/arigaio/atlas/tags?page_size=20&ordering=last_updated" \ | python3 -c "import json,sys; [print(t['name']) for t in json.load(sys.stdin)['results'] if t['name'][0].isdigit() and '-' not in t['name']]" @@ -92,18 +92,28 @@ The binary path (e.g. `/atlas`, `/app`) tells you which binary inside the image grype arigaio/atlas: --only-fixed 2>&1 ``` A clean run has only the header line and no CVE rows. -4. Once a clean version is confirmed, pull it and get its digest: +4. **If the latest stable tag still has CVEs**, also check the `latest` tag — atlas rebuilds it frequently with updated Go toolchain and dependencies: + ```bash + docker pull arigaio/atlas:latest + grype arigaio/atlas:latest --only-fixed 2>&1 + docker run --rm arigaio/atlas:latest version + ``` + If `latest` is clean and the version is a reasonable increment (e.g. canary of the next patch), it is acceptable since the image is pinned by digest. +5. Once a clean version is confirmed, pull it and get its digest: ```bash docker pull arigaio/atlas: docker inspect --format='{{index .RepoDigests 0}}' arigaio/atlas: ``` -5. Update `app/controlplane/Dockerfile.migrations`: +6. Update `app/controlplane/Dockerfile.migrations`: ```dockerfile # from: arigaio/atlas: # docker run arigaio/atlas@sha256: version # atlas version v FROM arigaio/atlas@sha256: as base ``` +7. Update `ATLAS_VERSION` in the following files to match the latest **stable** version (used for CLI tool installation, not the Docker image): + - `common.mk` — the `ATLAS_VERSION=vX.X.X` in the `init` target + - `.github/workflows/test.yml` — the `ATLAS_VERSION: vX.X.X` env variable ### 4b. Go stdlib / Go module vulnerabilities (backend) @@ -184,6 +194,8 @@ Summarise the findings and changes in this format: ### Files Changed - `app/controlplane/Dockerfile.migrations` — atlas vX.X.X → vX.X.X +- `common.mk` — ATLAS_VERSION vX.X.X → vX.X.X (if upgraded) +- `.github/workflows/test.yml` — ATLAS_VERSION vX.X.X → vX.X.X (if upgraded) ### PR @@ -198,6 +210,8 @@ Summarise the findings and changes in this format: | chainloop-best-practices framework ID | `0ceef195-6900-4166-8407-77eb84954ed3` | | Continuous-scanning workflow ID | `c506a425-d307-4a59-9132-659ffd417b57` | | Migrations Dockerfile | `app/controlplane/Dockerfile.migrations` | +| Atlas CLI version (Makefile) | `common.mk` — `ATLAS_VERSION=vX.X.X` in `init` target | +| Atlas CLI version (CI) | `.github/workflows/test.yml` — `ATLAS_VERSION: vX.X.X` env | | Backend go.mod | `go.mod` (root) | ## Important Notes