diff --git a/18_security/18.6_image_security.md b/18_security/18.6_image_security.md index 686b82b..a01ed9d 100644 --- a/18_security/18.6_image_security.md +++ b/18_security/18.6_image_security.md @@ -300,7 +300,7 @@ FROM ubuntu:latest RUN apt-get update && apt-get install -y curl # ✓ 推荐:固定基础镜像版本和摘要 -FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e6... +FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e6e0e14...(完整 64 位哈希) RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu1 ``` @@ -320,7 +320,7 @@ RUN apk add --no-cache curl && \ RUN go build -o app . -FROM alpine:3.17@sha256:abcd... +FROM alpine:3.17@sha256:abcd1234...(请替换为实际完整的 64 位摘要哈希) COPY --from=builder /app/app /app ``` @@ -405,13 +405,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build Docker image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v6 with: context: . push: false @@ -427,7 +427,7 @@ jobs: severity: 'HIGH,CRITICAL' - name: Upload Trivy results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' @@ -439,28 +439,26 @@ jobs: output-file: sbom-cyclonedx.json - name: Upload SBOM - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: sbom path: sbom-cyclonedx.json - name: Sign image with Cosign if: github.event_name == 'push' - env: - COSIGN_EXPERIMENTAL: 1 run: | cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - name: Login to Registry and Push if: github.event_name == 'push' - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v6 with: context: . push: true