build: pin all dependencies by SHA

.github/actions/redhat-certification-action/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker:20.10
+FROM docker:20.10@sha256:2967f0819c84dd589ed0a023b9d25dcfe7a3c123d5bf784ffbb77edf55335f0c
 
 RUN apk add bash
 

.github/workflows/tests.yaml

@@ -27,6 +27,19 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@c3a2b64f69b7a1542a68f44d9edbd9ec3fc1455e # v3.0.20
 
+  ossf-scorecard:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    # Ref: https://github.com/ossf/scorecard
+    # TODO: add other checks as needed
+    - run: |
+        docker run --rm --env GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} gcr.io/openssf/scorecard:stable \
+          --repo=github.com/${{ github.repository }} \
+          --commit ${{ github.sha }} \
+          --show-details \
+          --checks=Pinned-Dependencies
+
   lint:
     runs-on: ubuntu-latest
     steps:
@@ -537,6 +550,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - ensure-actions-sha-pin
+      - ossf-scorecard
       - lint
       - verify
       - install-with-kustomize

Dockerfile

@@ -2,7 +2,7 @@
 # Builder
 # ------------------------------------------------------------------------------
 
-FROM --platform=$BUILDPLATFORM golang:1.23.4 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.23.4@sha256:7ea4c9dcb2b97ff8ee80a67db3d44f98c8ffa0d191399197007d8459c1453041 AS builder
 
 WORKDIR /workspace
 ARG GOPATH
@@ -55,7 +55,7 @@ RUN --mount=type=cache,target=$GOPATH/pkg/mod \
 
 # Use distroless as minimal base image to package the operator binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot AS distroless
+FROM gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02 AS distroless
 
 ARG TAG
 ARG NAME="Kong Gateway Operator"
@@ -75,42 +75,3 @@ COPY --from=builder /workspace/bin/manager .
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]
-
-# ------------------------------------------------------------------------------
-# RedHat UBI
-# ------------------------------------------------------------------------------
-
-FROM registry.access.redhat.com/ubi8/ubi AS redhat
-
-ARG TAG
-ARG NAME="Kong Gateway Operator"
-ARG DESCRIPTION="Kong Gateway Operator drives deployment via the Gateway resource. You can deploy a Gateway resource to the cluster which will result in the underlying control-plane (the Kong Kubernetes Ingress Controller) and the data-plane (the Kong Gateway)."
-
-LABEL name="${NAME}" \
-    io.k8s.display-name="${NAME}" \
-    description="${DESCRIPTION}" \
-    io.k8s.description="${DESCRIPTION}" \
-    org.opencontainers.image.description="${DESCRIPTION}" \
-    vendor="Kong" \
-    version="${TAG}" \
-    release="1" \
-    url="https://github.com/Kong/gateway-operator" \
-    summary="A Kubernetes Operator for the Kong Gateway."
-
-# Create the user (ID 1000) and group that will be used in the
-# running container to run the process as an unprivileged user.
-RUN groupadd --system gateway-operator && \
-    adduser --system gateway-operator -g gateway-operator -u 1000
-
-COPY --from=builder /workspace/bin/manager .
-COPY LICENSE /licenses/
-
-# Run yum update to prevent vulnerable packages getting into the final image
-# and preventing publishing on Redhat connect registry.
-RUN yum update -y
-
-# Perform any further action as an unprivileged user.
-USER 1000
-
-# Run the compiled binary.
-ENTRYPOINT ["/manager"]

debug.Dockerfile

@@ -2,7 +2,7 @@
 # Debug image
 # ------------------------------------------------------------------------------
 
-FROM --platform=$BUILDPLATFORM golang:1.23.4 AS debug
+FROM --platform=$BUILDPLATFORM golang:1.23.4@sha256:7ea4c9dcb2b97ff8ee80a67db3d44f98c8ffa0d191399197007d8459c1453041 AS debug
 
 ARG GOPATH
 ARG GOCACHE

hack/plugin-images/invalid-size-combined.Dockerfile

@@ -1,4 +1,4 @@
-FROM busybox:1.31.1 AS builder
+FROM busybox:1.31.1@sha256:999f1137906d82f896a70c18ed63d2797a1562cd7d4d2c1907f681b35c30459d AS builder
 
 RUN mkdir myheader &&\
     dd if=/dev/urandom of=/myheader/handler.lua bs=512k count=1 &&\

hack/plugin-images/invalid-size-one.Dockerfile

@@ -1,4 +1,4 @@
-FROM busybox:1.31.1 AS builder
+FROM busybox:1.31.1@sha256:999f1137906d82f896a70c18ed63d2797a1562cd7d4d2c1907f681b35c30459d AS builder
 
 COPY myheader/schema.lua /myheader/
 RUN dd if=/dev/urandom of=/myheader/handler.lua bs=1M count=2

hack/plugin-images/myheader-2.Dockerfile

@@ -1,4 +1,4 @@
-FROM busybox:1.31.1 AS builder
+FROM busybox:1.31.1@sha256:999f1137906d82f896a70c18ed63d2797a1562cd7d4d2c1907f681b35c30459d AS builder
 
 COPY myheader /myheader/
 RUN sed -i 's/"myheader"/"newheader"/g' /myheader/**