Skip to content

security: サプライチェーンハードニング対応(提案・自動生成)#1569

Draft
kaitoyama wants to merge 2 commits into
mainfrom
security/supply-chain-hardening
Draft

security: サプライチェーンハードニング対応(提案・自動生成)#1569
kaitoyama wants to merge 2 commits into
mainfrom
security/supply-chain-hardening

Conversation

@kaitoyama

Copy link
Copy Markdown
Contributor

Important

これは自動生成された「対応提案」PR です。
CI/サプライチェーンのハードニングを進めやすくするために機械的に変更を加えています。
変更内容が正しいか・CI が通るかは必ずメンテナご自身でご確認ください。 誤検出や、このリポジトリの文脈では不要な変更が含まれている可能性があります。不要なものは部分的に revert/close いただいて構いません。

traPtitech org 全体のセキュリティ監査に基づく提案です。

適用した変更

✅ Docker ベースイメージを digest 固定(6 箇所)

信頼できる発行元(Docker 公式 / distroless / ghcr.io/traPtitech 等)の可変タグに @sha256:... を付与しました。

  • golang:1.26.3-alpineDockerfile
  • alpine:3.23.4Dockerfile
  • golang:1.26.3-alpinedocker/dev/Dockerfile
  • mariadb:12.1.2docker/dev/docker-compose.yaml
  • golang:1.26.3-alpinedocker/test/Dockerfile
  • mariadb:12.1.2docker/test/docker-compose.yaml

確認のお願い

  • CI が通ることを確認した

参考

  • SHA pinning: pinact / Dependabot(github-actions)・Renovate(helpers:pinGitHubActionDigests)でも自動更新できます
  • Docker Hardened Images

🤖 この PR は traPtitech org セキュリティ監査の一環として自動生成されました。

@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce6589f7-a740-48d7-929e-c2589e70fbd2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/supply-chain-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Jun 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.11%. Comparing base (67d4e3a) to head (0000048).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1569   +/-   ##
=======================================
  Coverage   64.11%   64.11%           
=======================================
  Files          27       27           
  Lines        4141     4141           
=======================================
  Hits         2655     2655           
  Misses       1088     1088           
  Partials      398      398           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants