-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathgolden-images.yaml
More file actions
156 lines (149 loc) · 7.68 KB
/
golden-images.yaml
File metadata and controls
156 lines (149 loc) · 7.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# =============================================================================
# Golden Images Standard
# =============================================================================
# Managed by: Infrastructure / DevOps Team
# Source: https://github.com/tinyfish-io/github-control
# Linear ticket: https://linear.app/tinyfish/issue/INF-1097
#
# This file is automatically replicated to ALL active repositories.
# DO NOT edit this file locally — changes will be overwritten on next
# Terraform apply. To propose updates, open a PR in github-control.
#
# -----------------------------------------------------------------------------
# TIER DEFINITIONS
# -----------------------------------------------------------------------------
# recommended:
# DevOps-owned. The Infrastructure team handles OS-level CVE monitoring,
# Vanta ticket triage, quarterly SHA digest updates, and patch coordination.
#
# acceptable:
# Developer-owned. Teams using this image are fully responsible for:
# - Monitoring OS-level CVEs flagged by AWS Inspector / Vanta
# - Filing and remediating their own security tickets
# - Upgrading to the recommended tier before the image's EOL date
# Using an acceptable-tier image does NOT exempt a team from Vanta SLAs.
#
# -----------------------------------------------------------------------------
# USAGE (Dockerfile)
# -----------------------------------------------------------------------------
# Always reference the full URI with the SHA256 digest for build immutability.
# Floating tags (:latest, :22, :3.12) are PROHIBITED in production Dockerfiles.
#
# CORRECT:
# FROM node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb
#
# WRONG:
# FROM node:24-bookworm-slim
# FROM node:latest
# FROM node:22
#
# =============================================================================
golden_images:
# ---------------------------------------------------------------------------
# Node.js
# ---------------------------------------------------------------------------
nodejs:
- tier: recommended
alias: node-24-lts
image: node:24-bookworm-slim
uri: node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb
runtime_version: "24.14.0"
base_os: Debian 12 (Bookworm) slim
digest_updated: "2026-02-27"
eol: "2029-04-30"
description: >
Node.js 24 LTS on Debian 12 Bookworm slim. DevOps-managed. Slim variant reduces attack surface vs the full image
while retaining native-module compatibility (unlike Alpine/musl). Receives timely Debian security patches for
OS-level packages.
use_case: "All Node.js services, CI builds, tooling containers."
- tier: acceptable
alias: node-22-lts
image: node:22-bookworm-slim
uri: node:22-bookworm-slim@sha256:dd9d21971ec4395903fa6143c2b9267d048ae01ca6d3ea96f16cb30df6187d94
runtime_version: "22.22.0"
base_os: Debian 12 (Bookworm) slim
digest_updated: "2026-02-27"
eol: "2027-04-30"
description: >
Node.js 22 LTS on Debian 12 Bookworm slim. DEVELOPER-managed. Teams using this image are responsible for
OS-level CVE monitoring, patching, and Vanta ticket remediation independently.
use_case: "Teams not yet migrated to Node 24 LTS."
caveats:
- "Migrate to node-24-lts (recommended) before April 2027 EOL."
- "Developer team owns OS-level CVE patching and all Vanta SLA obligations."
# ---------------------------------------------------------------------------
# Python
# ---------------------------------------------------------------------------
python:
- tier: recommended
alias: python-313
image: python:3.13-slim-bookworm
uri: python:3.13-slim-bookworm@sha256:1245b6c39d0b8e49e911c7d07b60cd9ed26016b0e439b6903d5e08730e417553
runtime_version: "3.13.x"
base_os: Debian 12 (Bookworm) slim
digest_updated: "2026-02-27"
eol: "2029-10-31"
description: >
Python 3.13 on Debian 12 Bookworm slim. DevOps-managed. Slim variant minimizes pre-installed packages, reducing
the OS-level attack surface while remaining fully pip-compatible.
use_case: "All Python services, ML workloads, data pipelines, Lambda containers."
- tier: acceptable
alias: python-312
image: python:3.12-slim-bookworm
uri: python:3.12-slim-bookworm@sha256:593bd06efe90efa80dc4eee3948be7c0fde4134606dd40d8dd8dbcade98e669c
runtime_version: "3.12.12"
base_os: Debian 12 (Bookworm) slim
digest_updated: "2026-02-27"
eol: "2028-10-31"
description: >
Python 3.12 on Debian 12 Bookworm slim. DEVELOPER-managed. Teams using this image are responsible for OS-level
CVE monitoring, patching, and Vanta ticket remediation independently.
use_case: "Teams not yet migrated to Python 3.13."
caveats:
- "Plan migration to python-313 (recommended) before October 2028 EOL."
- "Developer team owns OS-level CVE patching and all Vanta SLA obligations."
# ---------------------------------------------------------------------------
# Microsoft Playwright (AI web automation)
# ---------------------------------------------------------------------------
playwright:
- tier: recommended
alias: playwright-latest
image: mcr.microsoft.com/playwright:v1.58.2-noble
uri: mcr.microsoft.com/playwright:v1.58.2-noble@sha256:65cefd09a5e943921ecd3a6e5414c603db2eb161e9eb48f2e2ccc63486dc7dc0
runtime_version: "1.58.2"
base_os: Ubuntu 24.04 LTS (Noble Numbat)
digest_updated: "2026-02-27"
description: >
Microsoft Playwright v1.58.2 on Ubuntu 24.04 LTS (Noble). DevOps-managed. Pre-baked with all browser binaries
(Chromium, Firefox, WebKit) and their system-level dependencies. Playwright is the backbone of our AI web
automation workflows, enabling agents to interact with the web at scale.
use_case: "AI web automation workflows, browser-based AI agents."
- tier: acceptable
alias: playwright-v154
image: mcr.microsoft.com/playwright:v1.54.0-noble
uri: mcr.microsoft.com/playwright:v1.54.0-noble@sha256:96b27b29220f99ef3205c4aa3a8b8e1b5beb6c3ebb2e9acbdef80cb944a03012
runtime_version: "1.54.0"
base_os: Ubuntu 24.04 LTS (Noble Numbat)
digest_updated: "2026-02-27"
description: >
Microsoft Playwright v1.54.0 on Ubuntu 24.04 LTS (Noble). DEVELOPER-managed. Teams using this version are
responsible for monitoring CVEs and upgrading to the recommended tier.
use_case: "AI web automation workflows pinned to Playwright 1.54 pending migration."
caveats:
- "Upgrade to playwright-latest (recommended) once workflow compatibility with v1.58 is confirmed."
- "Developer team owns OS-level CVE patching and all Vanta SLA obligations."
- "4 minor versions behind recommended; bundled browser binaries may carry known CVEs."
# =============================================================================
# Metadata
# =============================================================================
metadata:
last_reviewed: "2026-02-27"
next_review_due: "2026-05-27"
review_cadence: quarterly
maintained_by: "Infrastructure / DevOps Team"
linear_ticket: https://linear.app/tinyfish/issue/INF-1097
policy: >
All Dockerfiles MUST reference images from this file using the full URI with SHA256 digest (@sha256:...) for build
immutability. Floating tags (e.g. :latest, :22, :3.12) are PROHIBITED in production Dockerfiles. This file is
updated quarterly or upon critical CVE disclosure. To propose changes, open a PR in github-control referencing
INF-1097.