Skip to content

fix(security): remediate PLATFOR-404 container vulnerability findings#246

Merged
PrestigePvP merged 3 commits into
mainfrom
tre/platfor-404-version-upgrade
May 29, 2026
Merged

fix(security): remediate PLATFOR-404 container vulnerability findings#246
PrestigePvP merged 3 commits into
mainfrom
tre/platfor-404-version-upgrade

Conversation

@PrestigePvP
Copy link
Copy Markdown
Contributor

@PrestigePvP PrestigePvP commented May 28, 2026
edited
Loading

Dependency and base-image version bumps, plus a vulnerability-scan CI check.

  • Bump golang.org/x/crypto 0.47.0 → 0.52.0
  • Bump golang.org/x/net 0.49.0 → 0.55.0
  • Bump github.com/jackc/pgx/v5 5.9.0 → 5.9.2
  • Bump Go toolchain 1.25.9 → 1.25.10 (go.mod + CI workflows)
  • Upgrade musl/musl-utils in docker/alpine
  • Add a report-only govulncheck CI workflow

Verified locally: go build ./... and govulncheck ./... pass.

@PrestigePvP
fix(security): remediate PLATFOR-404 Xray container findings
3a314fe 
- Bump golang.org/x/crypto 0.47.0 -> 0.52.0 (9 reachable SSH CVEs)
- Bump golang.org/x/net 0.49.0 -> 0.55.0 (idna + HTTP/2 SETTINGS)
- Bump github.com/jackc/pgx/v5 5.9.0 -> 5.9.2 (SQLi sanitizer; not reachable, we use pgproto3 only)
- Bump Go toolchain 1.25.9 -> 1.25.10 (go.mod + 7 CI workflows): clears stdlib findings
- Upgrade musl/musl-utils in docker/alpine for CVE-2026-40200 (qsort, 64-bit-impractical)
- Add report-only govulncheck CI workflow

Verified: govulncheck reports 0 reachable vulnerabilities under go1.25.10.
@linear
Copy link
Copy Markdown

linear Bot commented May 28, 2026

PLATFOR-404

@infisical-review-police
Copy link
Copy Markdown

infisical-review-police Bot commented May 28, 2026

💬 Discussion in Slack: #pr-review-cli-246-fix-security-remediate-platfor-404-xray-container-findings

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@PrestigePvP PrestigePvP requested a review from akhilmhdh May 28, 2026 21:16
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 28, 2026

Greptile Summary

This PR remediates JFrog Xray container findings against infisical/cli:0.43.87 by bumping key Go dependencies and the Go toolchain, upgrading musl/musl-utils in the Docker Alpine image, and adding a report-only govulncheck CI workflow to surface future vulnerabilities on PRs without blocking merges.

  • Dependency bumps: golang.org/x/crypto → 0.52.0 (9 SSH CVEs), golang.org/x/net → 0.55.0 (IDNA Punycode + HTTP/2 SETTINGS loop), github.com/jackc/pgx/v5 → 5.9.2 (SQLi in query sanitizer, unreachable from this codebase but cleared for scan gate), plus several indirect deps (sys, term, sync, text, mod, tools) that track the major bumps.
  • Go toolchain: go.mod directive and all 7 CI workflow files updated from 1.25.9 → 1.25.10, clearing stdlib findings (NUL panic, net/mail DoS, HTTP/2, GOTOOLCHAIN checksum bypass).
  • Docker: musl and musl-utils added to the apk upgrade step to pull the CVE-2026-40200 qsort stack-corruption fix at musl 1.2.5-r12.

Confidence Score: 4/5

Safe to merge — all changes are dependency version bumps and CI workflow additions with no application logic modified.

The diff touches only go.mod/go.sum, Docker, and CI workflows. All Go source-level security fixes come from upstream packages rather than any in-repo code change. The new govulncheck workflow runs with CGO_ENABLED=0, which may produce a slightly different reachability picture than the production build, and lacks module caching; both are easy follow-ups. No application code is modified, so regression risk from the dep bumps is low.

.github/workflows/govulncheck.yml — the new scan workflow benefits from adding module caching and aligning the CGO_ENABLED setting with how production binaries are built.

Important Files Changed

Filename Overview
.github/workflows/govulncheck.yml New report-only govulncheck CI workflow; missing Go module cache configuration compared to other workflows
go.mod Security-driven dependency bumps: golang.org/x/crypto 0.47 to 0.52, golang.org/x/net 0.49 to 0.55, pgx/v5 5.9.0 to 5.9.2, and several indirect deps; Go toolchain directive updated to 1.25.10
go.sum Checksums updated consistently for all bumped modules; no orphaned or conflicting entries observed
docker/alpine Adds musl and musl-utils to the apk upgrade command to pull the CVE-2026-40200 fix at musl 1.2.5-r12
.github/workflows/release_build_infisical_cli.yml Go version bumped from 1.25.9 to 1.25.10 in all three setup-go steps; no other changes

Reviews (1): Last reviewed commit: "fix(security): remediate PLATFOR-404 Xra..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 28, 2026
View reviewed changes
Comment thread .github/workflows/govulncheck.yml
Comment thread .github/workflows/govulncheck.yml
@PrestigePvP
fix(e2e): sync e2e module deps with root version bumps
b1477b7 
The e2e module replaces infisical-merge with ../, so the root x/crypto,
x/net, and pgx bumps required tidying its go.mod/go.sum. go mod tidy + go
directive 1.25.9 -> 1.25.10.
@PrestigePvP
ci(govulncheck): enable Go module caching in setup-go
4b4bf8e
@PrestigePvP PrestigePvP changed the title fix(security): remediate PLATFOR-404 Xray container findings fix(security): remediate PLATFOR-404 container vulnerability findings May 28, 2026
@PrestigePvP PrestigePvP merged commit ae11571 into main May 29, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@akhilmhdh akhilmhdh akhilmhdh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PrestigePvP @akhilmhdh