From 25f8d4498bdea1641f75555aa76de98ed7a588b1 Mon Sep 17 00:00:00 2001
From: XDRAGON2002 <81813720+XDRAGON2002@users.noreply.github.com>
Date: Mon, 7 Nov 2022 14:29:26 +0530
Subject: [PATCH] [Feature] Pin Dependencies by Hash (#5168)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* pin dependencies by hash

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* pin scripts

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
---
 .github/workflows/fossa.yml         | 2 +-
 .github/workflows/tests.yaml        | 2 +-
 cmd/cli/kubectl-kyverno/Dockerfile  | 2 +-
 cmd/initContainer/Dockerfile        | 2 +-
 cmd/kyverno/Dockerfile              | 4 ++--
 cmd/kyverno/localDockerfile         | 2 +-
 scripts/create-e2e-infrastruture.sh | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index 0dbc0a71329f..b1234d672ba8 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -25,6 +25,6 @@ jobs:
         run: |
           export GOPATH=$HOME/go
           export PATH=$PATH:$(go env GOPATH)/bin
-          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/f90d8f6ea32a55bc3b08d557590066b820a7c1b8/install-latest.sh | bash # v3.5.2
           fossa init
           fossa analyze
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index fc5d6c5f1542..c33fe5a29a61 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -50,7 +50,7 @@ jobs:
 
       - name: goimports
         run: |
-          go install golang.org/x/tools/cmd/goimports@latest
+          go install golang.org/x/tools/cmd/goimports@f112c43328372460f7ac5bc951711609e22b01cc # v0.2.0
           if [ "$(goimports -l . | wc -l)" -ne 0 ]
           then
            echo "The following files were found to have import formatting issues:"
diff --git a/cmd/cli/kubectl-kyverno/Dockerfile b/cmd/cli/kubectl-kyverno/Dockerfile
index 9a7aaaf958c1..66c375c4c8f7 100644
--- a/cmd/cli/kubectl-kyverno/Dockerfile
+++ b/cmd/cli/kubectl-kyverno/Dockerfile
@@ -25,7 +25,7 @@ RUN --mount=type=bind,target=. \
     CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/
 
 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b
 
 LABEL maintainer="Kyverno"
 
diff --git a/cmd/initContainer/Dockerfile b/cmd/initContainer/Dockerfile
index 1c1f4bcc3f60..431f88d5cf97 100644
--- a/cmd/initContainer/Dockerfile
+++ b/cmd/initContainer/Dockerfile
@@ -25,7 +25,7 @@ RUN --mount=type=bind,target=. \
     CGO_ENABLED=0 xx-go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/
 
 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b
 
 LABEL maintainer="Kyverno"
 
diff --git a/cmd/kyverno/Dockerfile b/cmd/kyverno/Dockerfile
index e8459060680c..893c5936c3e7 100644
--- a/cmd/kyverno/Dockerfile
+++ b/cmd/kyverno/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM} golang:alpine AS certs
+FROM --platform=${BUILDPLATFORM} golang:alpine@sha256:e4dcdac3ed37d8c2b3b8bcef2909573b2ad9c2ab53ba53c608909e8b89ccee36 AS certs
 
 LABEL maintainer="Kyverno"
 
@@ -29,7 +29,7 @@ RUN --mount=type=bind,target=. \
     CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
 
 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b
 
 LABEL maintainer="Kyverno"
 COPY --from=builder /output/kyverno /
diff --git a/cmd/kyverno/localDockerfile b/cmd/kyverno/localDockerfile
index dd8cc2bee1b5..db7f435bc9cc 100644
--- a/cmd/kyverno/localDockerfile
+++ b/cmd/kyverno/localDockerfile
@@ -1,4 +1,4 @@
-FROM golang:alpine
+FROM golang@sha256:992d5fea982526ce265a0631a391e3c94694f4d15190fd170f35d91b2e6cb0ba
 ADD kyverno /kyverno
 RUN apk add --no-cache ca-certificates
 USER 10001
diff --git a/scripts/create-e2e-infrastruture.sh b/scripts/create-e2e-infrastruture.sh
index 99964f786da7..b9e803f2c16d 100755
--- a/scripts/create-e2e-infrastruture.sh
+++ b/scripts/create-e2e-infrastruture.sh
@@ -21,7 +21,7 @@ fi
 pwd=$(pwd)
 cd "$pwd"/config
 echo "Installing kustomize"
-curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
+curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/56d82a8378dfc8dc3b3b1085e5a6e67b82966bd7/hack/install_kustomize.sh"  | bash  # v4.5.7
 kustomize edit set image ghcr.io/kyverno/kyverno:"$hash"
 kustomize edit set image ghcr.io/kyverno/kyvernopre:"$hash"
 kustomize build "$pwd"/config/ -o "$pwd"/config/install.yaml