Skip to content

fix(migrations): upgrade atlas image to clear CVE-2026-42501#3111

Merged
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:worktree-sorted-toasting-tome
May 18, 2026
Merged

fix(migrations): upgrade atlas image to clear CVE-2026-42501#3111
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:worktree-sorted-toasting-tome

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented May 13, 2026
edited
Loading

Summary

  • Upgrade arigaio/atlas base image in app/controlplane/Dockerfile.migrations to v1.2.1-3ca392d-canary (digest sha256:29668819bfe510e06ccf84cfbf795ad504a0b310a9edbb695c1cd277edac11cb, currently tagged as :latest).
  • Clears 11 fixable Go stdlib CVEs (including High-severity CVE-2026-42501) that remain in the previous canary pin on main (v1.2.1-29c7cc3-canary, built on go1.26.2).
  • Verified with grype against the new digest: no fixable vulnerabilities reported.

AI disclosure: this contribution was assisted by Claude Code.

@migmartri migmartri requested a review from a team May 13, 2026 15:19
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Piskoo
Piskoo previously approved these changes May 14, 2026
View reviewed changes
jiparis
jiparis previously approved these changes May 15, 2026
View reviewed changes
@migmartri migmartri dismissed stale reviews from jiparis and Piskoo via 80eefc6 May 15, 2026 09:33
jiparis
jiparis previously approved these changes May 16, 2026
View reviewed changes
@migmartri
fix(migrations): bump atlas image to clear Go stdlib CVEs
8eee27e 
Updates the atlas base image from v1.2.1-29c7cc3-canary (go1.26.2,
11 fixable Go stdlib CVEs including CVE-2026-42501) to the current
v1.2.1-3ca392d-canary tagged as :latest.

Verified with grype against the new digest: no fixable vulnerabilities
reported.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>

Chainloop-Trace-Sessions: f286dba9-20ad-4039-8d7c-7677510fec29
@migmartri migmartri force-pushed the worktree-sorted-toasting-tome branch from 80eefc6 to 8eee27e Compare May 17, 2026 20:33
@chainloop-platform
Copy link
Copy Markdown
Contributor

chainloop-platform Bot commented May 17, 2026
edited
Loading

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟢 83% 1 ⚠️ 1 100% AI / 0% Human 1 +4 / -4 21m48s

🟢 83% — 100% AI — ⚠️ 1 policies failing

May 17, 2026 20:11 UTC · 21m48s · $4.51 · 452 in / 28.6k out · claude-code 2.1.138 (claude-opus-4-7)

Change Summary

  • Bumps the atlas image in Dockerfile.migrations from a CVE-affected digest to stable tag atlas:1.2.0.
  • AI scanned multiple image digests with grype to confirm the chosen tag is CVE-clean.
  • Obtained explicit user approval before modifying the file and force-pushing the branch.

AI Session Overall Score

🟢 83% — Well-executed security fix with thorough CVE verification, weakened only by minimal upfront planning context.

AI Session Analysis Breakdown

🟢 88% · alignment

🟢 AI correctly inferred 'close PR if confirmed' meant NOT closing when main still had CVEs. · High Impact

🟢 88% · scope-discipline

No notes.

🟢 88% · solution-quality

🟢 AI chose stable atlas:1.2.0 over a canary tag, addressing the root cause cleanly. · High Impact

🟢 88% · user-trust-signal

No notes.

🟢 88% · verification

🟢 Grype scanned multiple atlas image digests to confirm the chosen image has no fixable CVEs. · High Impact

🟡 42% · context-and-planning

🔴 Initial message was a bare PR URL with no stated goal, constraints, or acceptance criteria. · High Severity

💡 State the objective and constraints upfront so the AI can plan scope rather than infer it incrementally.

🟠 No written plan was produced before investigation began; AI had to infer scope as it went. · Medium Severity

💡 For security-investigation tasks, produce a brief plan listing images to scan and decision criteria before running tools.

🟠 AI did not proactively check for a stable image tag; user had to prompt that comparison mid-session. · Medium Severity

💡 When evaluating image upgrades, include stable vs. canary comparison in the initial investigation plan.

File Attribution

████████████████████ 100% AI / 0% Human

Status Attribution File Lines
modified ai app/controlplane/Dockerfile.migrations +4 / -4

Policies (4, 1 failing)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-f286db -
⚠️ Failed ai-config-no-dangerous-commands ai-coding-session-f286db Forbidden bash pattern /git[^|]push[^|]--force/ matched command: git push --force-with-lease origin worktree-sorted-toasting-tome
✅ Passed ai-config-no-secrets ai-coding-session-f286db -
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-f286db -

Powered by Chainloop and Chainloop Trace

@migmartri migmartri merged commit 37b9c89 into chainloop-dev:main May 18, 2026
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Piskoo Piskoo Piskoo approved these changes

@jiparis jiparis jiparis left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@migmartri @jiparis @Piskoo