Skip to content

chore: default to the public Chainguard cinc-auditor image#67

Merged
stevebeattie merged 2 commits into
chainguard-dev:mainfrom
stevebeattie:chore/default-chainguard-auditor-image
Jun 18, 2026
Merged

chore: default to the public Chainguard cinc-auditor image#67
stevebeattie merged 2 commits into
chainguard-dev:mainfrom
stevebeattie:chore/default-chainguard-auditor-image

Conversation

@stevebeattie

Copy link
Copy Markdown
Member

Why

The cinc-auditor image is now published publicly at
cgr.dev/chainguard/cinc-auditor (no registry authentication required). Our
reference tools and docs should prioritize it over the private
cgr.dev/chainguard-private/cinc-auditor image and the upstream
cincproject/auditor — while keeping the ability to point at an alternate image
for compatibility.

Switching the default surfaced a real cross-image incompatibility in cinc-check
(fixed here first).

What

1. Make cinc-check auditor-image-agnostic (ci(cinc-check): …) — the
profile-validation step (Makefile + control-tests.yml) made two assumptions
that only held for a root-default image like cincproject:

  • It didn't force a user, so it ran as the image's default user. The Chainguard
    image runs as nonroot (uid 65532), which can't read the root-owned,
    read-only /profile bind mount → check fails with "doesn't look like a
    supported profile structure". → add --user 0:0 (matches the scan scripts and
    rspec harness; harmless for a root-default image).
  • The exec left rootfs at its default /, scanning the auditor image's own
    root fs. The Chainguard image bundles cinc-auditor under /usr/lib (upstream
    hides it under /opt), so LibraryPermissions' find /usr/lib + per-file
    owner check traverses the entire bundled Ruby/gem tree — minutes, effectively
    a hang. → point the exec at an empty rootfs (--input rootfs=/scan-root);
    this step only needs controls discovered (count > 0), not evaluated.

2. Default to the public Chainguard image (chore: …) — switch every default
to cgr.dev/chainguard/cinc-auditor:latest, keeping the CINC_AUDITOR_IMAGE
override everywhere:

  • tools/lib/cinc-common.sh (was the private image), Makefile, the five
    integration smoke specs' fallback default.
  • control-tests.yml and scan-smoke.yml active image.
  • README / docs/development.md / docs/testing.md: prioritize the public
    image, drop the "private registry / requires authenticated access" framing,
    and document overriding to an alternate (e.g. cincproject/auditor:latest).

Why this approach

Forcing --user 0:0 and pointing cinc-check at an empty rootfs make the tooling
image-default-agnostic — it works identically whether the auditor image
defaults to root (cincproject) or nonroot (Chainguard), and doesn't depend on
where the image bundles its files. That robustness is what lets a follow-up
verify the profile against both images in CI.

Scope: scan-smoke stays single-image (the scan pipeline is image-agnostic);
control-tests will run a both-images matrix in a follow-up PR.

Verification

On the Chainguard image: make cinc-check (9 controls, ~10s), the full control
suite (186 examples, 0 failures, 12 pending — sudo/RUN_SCAN_SMOKE-gated), and the
filesystem scan smoke on the new default all pass. Lint clean (pre-commit,
actionlint, zizmor).

🤖 Generated with Claude Code

stevebeattie and others added 2 commits June 17, 2026 21:07
Why: the cinc-check step (Makefile + control-tests.yml) bind-mounts the staged
profile and runs `cinc-auditor check` + `exec`, but made two assumptions that
only hold for a root-default auditor image like cincproject/auditor:

- It didn't force a user, so it ran as the image's default user. The Chainguard
  cinc-auditor image runs as nonroot (uid 65532), which can't read the
  root-owned, read-only /profile bind mount → `check` fails with "doesn't look
  like a supported profile structure".
- The `exec` left rootfs at its default of `/`, so it scanned the auditor
  image's own root filesystem. The Chainguard image bundles cinc-auditor under
  /usr/lib (upstream hides it under /opt), so LibraryPermissions' `find /usr/lib`
  + per-file owner check traverses the entire bundled Ruby/gem tree — minutes,
  effectively a hang.

What:
- Add `--user 0:0` to both docker runs (matches how the scan scripts and rspec
  harness already invoke the auditor; harmless for a root-default image).
- Point the `exec` at an empty bind-mounted dir (`--input rootfs=/scan-root`).
  This step only needs to confirm controls are *discovered* (count > 0), not
  evaluate them, so scanning nothing is correct — and fast on any image.

Both changes are improvements regardless of which auditor image is used; they
make cinc-check work identically on cincproject and Chainguard.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Why: the cinc-auditor image is now published publicly at
cgr.dev/chainguard/cinc-auditor (no registry auth required), so our reference
tools and docs should prioritize it over the private image and the upstream
cincproject/auditor image — while keeping the ability to point at an alternate
image for compatibility.

What: switch every default to cgr.dev/chainguard/cinc-auditor:latest, keeping
the CINC_AUDITOR_IMAGE override everywhere:
- tools/lib/cinc-common.sh (was the private chainguard-private image), Makefile,
  and the five integration smoke specs' fallback default.
- control-tests.yml and scan-smoke.yml active image (control-tests will also
  verify cincproject via a matrix in a follow-up; the scan pipeline is
  image-agnostic so scan-smoke stays single-image).
- README / docs/development.md / docs/testing.md: prioritize the public image,
  drop the "private registry / requires authenticated access" framing (the
  auditor image no longer needs auth), and document overriding to an alternate
  (e.g. cincproject/auditor:latest).

Verified the profile works on the Chainguard image: `make cinc-check` (9
controls), the full control suite (186 examples, 0 failures), and the filesystem
scan smoke all pass against it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@stevebeattie stevebeattie requested a review from egibs June 18, 2026 04:09
@stevebeattie stevebeattie merged commit b55ad4a into chainguard-dev:main Jun 18, 2026
15 checks passed
@stevebeattie stevebeattie deleted the chore/default-chainguard-auditor-image branch June 18, 2026 04:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant