fix: [CI-23216]: bump docker:dind to 29.6.0 and buildx to v0.35.0#110
Draft
vinayakharness2026 wants to merge 1 commit into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Remediation: harnesssecure/buildx-ecr
Team: ci (Harness CI Platform)
Tickets: CI-23216 — Security Vulnerability Fixes - harnesssecure/buildx-ecr (P2, parent EPIC CI-23213)
Test image:
vinayakharness/buildx-ecr-test:buildx-ecr-1.6--debugOnDemand scanner runs (Harness https://harness0.harness.io/):
Summary
The reported image (
harnesssecure/buildx-ecr:1.5) inherits its CVEs almost entirely fromdocker:28.5.2-dind(Alpine 3.22.2) plus a stalebuildx v0.23.0binary. Bumping the docker:dindbase to 29.6.0-dind and
buildxto v0.35.0 cuts Trivy-reported CVEs from 626 → 176(-72%), and CRITICAL findings from 17 → 3 (-82%). The OnDemand (Prisma Cloud / Snyk) scanners
report the same direction: deduplicated issue counts drop by 64% (Prisma 53→19) and 31%
(Snyk 55→38).
The remaining residual HIGH/CRITICAL findings are upstream-pending in
docker:29.6.0-dind's vendored Go modules (google.golang.org/grpc,containerd/v2,golang.org/x/net)— the next moby/dockerd point release will roll these forward.
Recommendation: REVIEW (draft). Significant net reduction with one major version bump
(28.x→29.x docker:dind, REQUIRED — no fixes backported into the 28.x line by upstream).
CVE Delta — Trivy (local scan)
CVE Delta — Harness OnDemand
Severity-by-severity counts were not retrievable: the STO REST API was returning 5xx during
this run when paginating issues. The per-scan deduplicated totals are below (more reliable than
totals across the v2/issues endpoint, which returned identical 24 371 across all severity filters
in this account, suggesting filter handling is broken upstream).
Per-Ticket CVE Status
CI-23216 reports aggregate counts only (Crit:2 High:28 Med:31 Low:3 Unique:64), not specific CVE
IDs, so the table below summarises the most-impactful CVE classes that Trivy actually identifies
in
harnesssecure/buildx-ecr:1.5and how this change moves them.CI-23216 — P2: Security Vulnerability Fixes - harnesssecure/buildx-ecr
Changes Made
docker/docker/Dockerfile.linux.amd64FROM docker:28.5.2-dind→FROM docker:29.6.0-dinddocker/docker/Dockerfile.linux.amd64BUILDX_URLv0.23.0 → v0.35.0 (linux-amd64)docker/docker/Dockerfile.linux.arm64FROM arm64v8/docker:28.5.2-dind→FROM arm64v8/docker:29.6.0-dinddocker/docker/Dockerfile.linux.arm64BUILDX_URLv0.23.0 → v0.35.0 (linux-arm64)Version selection rationale:
docker:dind: chose 29.6.0-dind because thedocker/dockerGo module fix is>= 29.3.1and no 28.x backport is published. Among 29.x tags, the latest stable (29.6.0-dind) ships the
most recent vendored containerd, runc, openssl, musl, libexpat, zlib, otel and Go toolchain —
taking it gets the maximum CVE drop in one bump. Minimum-safe is 29.3.1; we picked 29.6.0 for
the broader cleanup.
buildx: chose v0.35.0 because themoby/buildkitfix is>= 0.28.1, otel/sdk fix is>= 1.40.0, grpc fix is>= 1.79.3, andgolang.org/x/netfix is>= 0.53.0— only v0.34.0+satisfies all four. v0.35.0 also ships x/net v0.55.0 and x/crypto v0.52.0, fully resolving
several HIGH groups that v0.34.x leaves on the residual list.
Breaking-Change Warnings
Newly Introduced CVEs
usr/local/bin/runcusr/local/bin/runc/bin/buildx-ecrcompiled with golang:1.26-rc to satisfy go.mod'sgo 1.26requirementThe two MEDIUM
x/net@v0.35.0findings are upstream inruncshipped withdocker:29.6.0-dindand will be resolved when moby publishes a
runcrebuild. The threestdlib@v1.26rc3findingsare an artefact of the test image only —
drone-buildx-ecr/go.moddeclaresgo 1.26, so thetest build had to use
golang:1.26-rc(the only available 1.26 image at this time). Theproduction CI uses
golang:1.24.11, so the released image will not carry the rc3 stdlib CVEs.Test Plan
plugins/buildx:linux-amd64and run a sample buildplugins/buildx-ecr,plugins/buildx-gcr,plugins/buildx-gar,plugins/buildx-acrcontinue to authenticate and pushthe test-image after-scan
🤖 Auto-generated by Harness vuln-remediation skill (run via Claude Code agent).