chore: default to the public Chainguard cinc-auditor image#67
Merged
stevebeattie merged 2 commits intoJun 18, 2026
Merged
Conversation
Why: the cinc-check step (Makefile + control-tests.yml) bind-mounts the staged profile and runs `cinc-auditor check` + `exec`, but made two assumptions that only hold for a root-default auditor image like cincproject/auditor: - It didn't force a user, so it ran as the image's default user. The Chainguard cinc-auditor image runs as nonroot (uid 65532), which can't read the root-owned, read-only /profile bind mount → `check` fails with "doesn't look like a supported profile structure". - The `exec` left rootfs at its default of `/`, so it scanned the auditor image's own root filesystem. The Chainguard image bundles cinc-auditor under /usr/lib (upstream hides it under /opt), so LibraryPermissions' `find /usr/lib` + per-file owner check traverses the entire bundled Ruby/gem tree — minutes, effectively a hang. What: - Add `--user 0:0` to both docker runs (matches how the scan scripts and rspec harness already invoke the auditor; harmless for a root-default image). - Point the `exec` at an empty bind-mounted dir (`--input rootfs=/scan-root`). This step only needs to confirm controls are *discovered* (count > 0), not evaluate them, so scanning nothing is correct — and fast on any image. Both changes are improvements regardless of which auditor image is used; they make cinc-check work identically on cincproject and Chainguard. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Why: the cinc-auditor image is now published publicly at cgr.dev/chainguard/cinc-auditor (no registry auth required), so our reference tools and docs should prioritize it over the private image and the upstream cincproject/auditor image — while keeping the ability to point at an alternate image for compatibility. What: switch every default to cgr.dev/chainguard/cinc-auditor:latest, keeping the CINC_AUDITOR_IMAGE override everywhere: - tools/lib/cinc-common.sh (was the private chainguard-private image), Makefile, and the five integration smoke specs' fallback default. - control-tests.yml and scan-smoke.yml active image (control-tests will also verify cincproject via a matrix in a follow-up; the scan pipeline is image-agnostic so scan-smoke stays single-image). - README / docs/development.md / docs/testing.md: prioritize the public image, drop the "private registry / requires authenticated access" framing (the auditor image no longer needs auth), and document overriding to an alternate (e.g. cincproject/auditor:latest). Verified the profile works on the Chainguard image: `make cinc-check` (9 controls), the full control suite (186 examples, 0 failures), and the filesystem scan smoke all pass against it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The cinc-auditor image is now published publicly at
cgr.dev/chainguard/cinc-auditor(no registry authentication required). Ourreference tools and docs should prioritize it over the private
cgr.dev/chainguard-private/cinc-auditorimage and the upstreamcincproject/auditor— while keeping the ability to point at an alternate imagefor compatibility.
Switching the default surfaced a real cross-image incompatibility in
cinc-check(fixed here first).
What
1. Make
cinc-checkauditor-image-agnostic (ci(cinc-check): …) — theprofile-validation step (Makefile +
control-tests.yml) made two assumptionsthat only held for a root-default image like cincproject:
image runs as nonroot (uid 65532), which can't read the root-owned,
read-only
/profilebind mount →checkfails with "doesn't look like asupported profile structure". → add
--user 0:0(matches the scan scripts andrspec harness; harmless for a root-default image).
execleftrootfsat its default/, scanning the auditor image's ownroot fs. The Chainguard image bundles cinc-auditor under
/usr/lib(upstreamhides it under
/opt), soLibraryPermissions'find /usr/lib+ per-fileowner check traverses the entire bundled Ruby/gem tree — minutes, effectively
a hang. → point the
execat an empty rootfs (--input rootfs=/scan-root);this step only needs controls discovered (count > 0), not evaluated.
2. Default to the public Chainguard image (
chore: …) — switch every defaultto
cgr.dev/chainguard/cinc-auditor:latest, keeping theCINC_AUDITOR_IMAGEoverride everywhere:
tools/lib/cinc-common.sh(was the private image),Makefile, the fiveintegration smoke specs' fallback default.
control-tests.ymlandscan-smoke.ymlactive image.docs/development.md/docs/testing.md: prioritize the publicimage, drop the "private registry / requires authenticated access" framing,
and document overriding to an alternate (e.g.
cincproject/auditor:latest).Why this approach
Forcing
--user 0:0and pointing cinc-check at an empty rootfs make the toolingimage-default-agnostic — it works identically whether the auditor image
defaults to root (cincproject) or nonroot (Chainguard), and doesn't depend on
where the image bundles its files. That robustness is what lets a follow-up
verify the profile against both images in CI.
Scope:
scan-smokestays single-image (the scan pipeline is image-agnostic);control-testswill run a both-images matrix in a follow-up PR.Verification
On the Chainguard image:
make cinc-check(9 controls, ~10s), the full controlsuite (186 examples, 0 failures, 12 pending — sudo/RUN_SCAN_SMOKE-gated), and the
filesystem scan smoke on the new default all pass. Lint clean (pre-commit,
actionlint, zizmor).
🤖 Generated with Claude Code