Skip to content

UID2-7411: Remediate HIGH/CRITICAL vulns in reverse-proxy image#197

Merged
BehnamMozafari merged 1 commit into
mainfrom
bmz-UID2-7411-reverse-proxy-apk-upgrade
Jul 2, 2026
Merged

UID2-7411: Remediate HIGH/CRITICAL vulns in reverse-proxy image#197
BehnamMozafari merged 1 commit into
mainfrom
bmz-UID2-7411-reverse-proxy-apk-upgrade

Conversation

@BehnamMozafari

Copy link
Copy Markdown
Contributor

Summary

Part of UID2-7411 — remediate HIGH/CRITICAL vulnerabilities in docker-path images so the Trivy failure floor in IABTechLab/uid2-shared-actions#246 can flip from CRITICAL to CRITICAL,HIGH.

This PR covers tools/reverse-proxy/Dockerfile (FROM nginx:alpine).

Change

Added RUN apk upgrade --no-cache immediately after the FROM line, before the existing apk add. This pulls the latest -rN Alpine security builds at build time (openssl/libssl3/libcrypto3, musl, zlib, libxml2, libexpat, nghttp2, etc.).

No .trivyignore suppression was required — the upgrade alone brings the image to zero HIGH/CRITICAL findings.

Verification

docker build --platform linux/amd64 -f tools/reverse-proxy/Dockerfile -t uid-reverse-proxy-test tools/reverse-proxy
trivy image --platform linux/amd64 --severity CRITICAL,HIGH --scanners vuln uid-reverse-proxy-test

Rescan result (Trivy 0.72.0):

Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┐
│                 Target                 │  Type  │ Vulnerabilities │
├────────────────────────────────────────┼────────┼─────────────────┤
│ uid-reverse-proxy-test (alpine 3.23.5) │ alpine │        0        │
└────────────────────────────────────────┴────────┴─────────────────┘

Total: 0 (CRITICAL: 0, HIGH: 0) — build is clean at CRITICAL,HIGH.

…e HIGH/CRITICAL vulns

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@BehnamMozafari BehnamMozafari force-pushed the bmz-UID2-7411-reverse-proxy-apk-upgrade branch from 140dd05 to dcb5604 Compare July 1, 2026 23:48
@BehnamMozafari BehnamMozafari merged commit 0f8897c into main Jul 2, 2026
4 checks passed
@BehnamMozafari BehnamMozafari deleted the bmz-UID2-7411-reverse-proxy-apk-upgrade branch July 2, 2026 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants