Update clamav/clamav-debian Docker tag to v1.5.2-31#2341
Conversation
AlexSkrypnyk
added
the
Dependencies
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughUpdated the ClamAV Debian base image tag in the Dockerfile from Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.docker/clamav.dockerfile:
- Line 15: The Dockerfile uses a mutable tag in the FROM instruction ("FROM
clamav/clamav-debian:1.5.2-31"); replace that tag with the corresponding
immutable digest (preferably the image index digest for multi-arch support) so
the base image is pinned and reproducible—update the FROM line to reference the
canonical sha256 digest for the desired release (or platform-specific digest if
intentionally targeting amd64/arm64).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8ad49121-b69a-4fe9-bcc4-75a9648e693b
📒 Files selected for processing (1)
.docker/clamav.dockerfile
| FROM uselagoon/commons:26.2.0 AS commons | ||
|
|
||
| FROM clamav/clamav-debian:1.5.1-30 | ||
| FROM clamav/clamav-debian:1.5.2-31 |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
repo="clamav/clamav-debian"
tag="1.5.2-31"
echo "Attempting to resolve digest for ${repo}:${tag}..."
# Get token
token="$(curl -fsSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" 2>&1 | jq -r '.token' 2>&1)"
if [ -z "$token" ] || [ "$token" = "null" ]; then
echo "Error: Failed to get authentication token"
exit 1
fi
echo "Token obtained: ${token:0:20}..."
# Get digest
digest="$(
curl -fsSI \
-H "Authorization: Bearer ${token}" \
-H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
"https://registry-1.docker.io/v2/${repo}/manifests/${tag}" \
2>&1 | tr -d '\r' \
| awk -F': ' '/Docker-Content-Digest/ {print $2}'
)"
if [ -z "$digest" ]; then
echo "Error: Failed to resolve digest. Tag may not exist or be accessible."
exit 1
fi
echo "Successfully resolved digest:"
echo "${repo}:${tag}@${digest}"
Repository: drevops/vortex
Length of output: 232
🏁 Script executed:
#!/bin/bash
# Try a simpler curl request to check if the tag exists
repo="clamav/clamav-debian"
tag="1.5.2-31"
# Get token
token=$(curl -fsSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" | jq -r '.token')
# Try to get manifest metadata (without -I flag to get more info)
echo "Checking if tag exists..."
curl -fsSL \
-H "Authorization: Bearer ${token}" \
-H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
"https://registry-1.docker.io/v2/${repo}/manifests/${tag}" 2>&1 | head -50
echo ""
echo "---"
echo "Attempting to list available tags..."
# Try to get tags list
curl -fsSL \
-H "Authorization: Bearer ${token}" \
"https://registry-1.docker.io/v2/${repo}/tags/list" 2>&1 | jq '.tags | sort | .[-10:]'
Repository: drevops/vortex
Length of output: 2005
Pin the updated ClamAV image to an immutable digest.
Line 15 uses a mutable tag. Pinning clamav/clamav-debian:1.5.2-31 to its digest improves reproducibility and prevents silent upstream retags.
Suggested change (amd64 example)
-FROM clamav/clamav-debian:1.5.2-31
+FROM clamav/clamav-debian:1.5.2-31@sha256:83f8128fadcd26bb3a177ea66b995efa6b1a22a13d11b6e4d2679681e2873bab
Note: This image supports multiple architectures (amd64, arm64). If targeting a specific platform, use the corresponding digest. For multi-arch support, prefer pinning to the image index digest rather than individual platform digests.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM clamav/clamav-debian:1.5.2-31 | |
| FROM clamav/clamav-debian:1.5.2-31@sha256:83f8128fadcd26bb3a177ea66b995efa6b1a22a13d11b6e4d2679681e2873bab |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.docker/clamav.dockerfile at line 15, The Dockerfile uses a mutable tag in
the FROM instruction ("FROM clamav/clamav-debian:1.5.2-31"); replace that tag
with the corresponding immutable digest (preferably the image index digest for
multi-arch support) so the base image is pinned and reproducible—update the FROM
line to reference the canonical sha256 digest for the desired release (or
platform-specific digest if intentionally targeting amd64/arm64).
This comment has been minimized.
This comment has been minimized.
|
|
AlexSkrypnyk
force-pushed
the
deps/container-images-all-major-minor-patch
branch
from
9724290 to
03f15c4
Compare
|
|
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
1 participant
This PR contains the following updates:
1.5.1-30→1.5.2-31Configuration
📅 Schedule: Branch creation - "before 3am" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
Summary by CodeRabbit