From 60760b1f408aa3c7af9adbab2f20f3035195d7c6 Mon Sep 17 00:00:00 2001 From: Tim Diekmann Date: Sun, 29 Mar 2026 14:35:02 +0200 Subject: [PATCH] SRE-613: Disable BuildKit provenance attestation to fix Inspector scanning BuildKit's default provenance attestation wraps single-platform images in OCI Image Indexes. AWS Inspector scans child manifests but tags and usage tracking sit on the Index, making CVE findings unusable for alerting. Disabling provenance produces plain single-platform manifests that Inspector can fully correlate with deployed images. Image signing and provenance will be re-evaluated separately in SRE-614. --- .github/actions/build-docker-images/action.yml | 10 ++++++++++ .github/actions/docker-build-push/action.yml | 1 + 2 files changed, 11 insertions(+) diff --git a/.github/actions/build-docker-images/action.yml b/.github/actions/build-docker-images/action.yml index 54789c17a46..547af9d02f1 100644 --- a/.github/actions/build-docker-images/action.yml +++ b/.github/actions/build-docker-images/action.yml @@ -75,6 +75,7 @@ runs: tags: | hash-graph hash-graph:test + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-graph${{ env.IMAGE_TAG }} type=registry,ref=ghcr.io/hashintel/hash-graph @@ -99,6 +100,7 @@ runs: tags: | hash-graph hash-graph:test + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-graph secrets: | @@ -114,6 +116,7 @@ runs: context: . file: apps/hash-ai-worker-ts/docker/Dockerfile tags: hash-ai-worker-ts + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-ai-worker-ts${{ env.IMAGE_TAG }} type=registry,ref=ghcr.io/hashintel/hash-ai-worker-ts @@ -135,6 +138,7 @@ runs: context: . file: apps/hash-ai-worker-ts/docker/Dockerfile tags: hash-ai-worker-ts + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-ai-worker-ts secrets: | @@ -149,6 +153,7 @@ runs: context: . file: apps/hash-integration-worker/docker/Dockerfile tags: hash-integration-worker + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-integration-worker${{ env.IMAGE_TAG }} type=registry,ref=ghcr.io/hashintel/hash-integration-worker @@ -168,6 +173,7 @@ runs: context: . file: apps/hash-integration-worker/docker/Dockerfile tags: hash-integration-worker + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-integration-worker secrets: | @@ -180,6 +186,7 @@ runs: context: . file: infra/docker/api/prod/Dockerfile tags: hash-api + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-api${{ env.IMAGE_TAG }} type=registry,ref=ghcr.io/hashintel/hash-api @@ -199,6 +206,7 @@ runs: context: . file: infra/docker/api/prod/Dockerfile tags: hash-api + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-api secrets: | @@ -211,6 +219,7 @@ runs: context: . file: infra/docker/frontend/prod/Dockerfile tags: hash-frontend + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-frontend${{ env.IMAGE_TAG }} type=registry,ref=ghcr.io/hashintel/hash-frontend @@ -233,6 +242,7 @@ runs: context: . file: infra/docker/frontend/prod/Dockerfile tags: hash-frontend + provenance: false cache-from: | type=registry,ref=ghcr.io/hashintel/hash-frontend secrets: | diff --git a/.github/actions/docker-build-push/action.yml b/.github/actions/docker-build-push/action.yml index 10272bae4ed..0ba21dd88af 100644 --- a/.github/actions/docker-build-push/action.yml +++ b/.github/actions/docker-build-push/action.yml @@ -84,6 +84,7 @@ runs: ${{ inputs.AWS_ECR_URL }}/${{ inputs.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }} ${{ inputs.AWS_ECR_URL }}/${{ inputs.IMAGE_NAME }}:sha-${{ github.sha }} ${{ inputs.AWS_ECR_URL }}/${{ inputs.IMAGE_NAME }}:run-${{ env.GH_RUN_ID }} + provenance: false cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new