From 363f5571f8fdd0f8178367d90574742b4adb218a Mon Sep 17 00:00:00 2001
From: Matthieu MOREL <matthieu.morel35@gmail.com>
Date: Wed, 3 Jan 2024 18:17:40 +0100
Subject: [PATCH] ossf: pin docker versions (#1056)

Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
---
 .github/dependabot.yml                   | 8 ++++++++
 README.md                                | 2 ++
 benchmarks/docker/Dockerfile-benchmark   | 4 ++--
 ci/docker/Dockerfile-nighthawk           | 2 +-
 ci/docker/Dockerfile-nighthawk-benchmark | 2 +-
 5 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a83ef3851..0565d06a8 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,13 @@
 version: 2
 updates:
+- package-ecosystem: docker
+  directory: /ci/docker
+  schedule:
+    interval: daily
+- package-ecosystem: docker
+  directory: /benchmarks/docker
+  schedule:
+    interval: daily
 - package-ecosystem: github-actions
   directory: /
   schedule:
diff --git a/README.md b/README.md
index af094db03..e8b2476e2 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,8 @@
 
 *A L7 (HTTP/HTTPS/HTTP2) performance characterization tool*
 
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/envoyproxy/nighthawk/badge)](https://api.securityscorecards.dev/projects/github.com/envoyproxy/nighthawk)
+
 ## Current state
 
 Nighthawk currently offers:
diff --git a/benchmarks/docker/Dockerfile-benchmark b/benchmarks/docker/Dockerfile-benchmark
index 2a250db8a..c105838e7 100644
--- a/benchmarks/docker/Dockerfile-benchmark
+++ b/benchmarks/docker/Dockerfile-benchmark
@@ -1,4 +1,4 @@
-FROM frolvlad/alpine-python3
+FROM frolvlad/alpine-python3@sha256:cc524b08e68d0545c0d89bb426aeb71359d6146eca941480efa778fd64dd4714
 
 RUN apk add docker openrc
 RUN rc-update add docker boot
@@ -11,4 +11,4 @@ ENV ENVOY_PATH="envoy" \
     RUNFILES_DIR="/usr/local/bin/benchmarks/benchmarks.runfiles/" \
     ENVOY_IP_TEST_VERSIONS="v4only"
 
-CMD ["./benchmarks", "--help"]
\ No newline at end of file
+CMD ["./benchmarks", "--help"]
diff --git a/ci/docker/Dockerfile-nighthawk b/ci/docker/Dockerfile-nighthawk
index 153113e8b..2477818b1 100644
--- a/ci/docker/Dockerfile-nighthawk
+++ b/ci/docker/Dockerfile-nighthawk
@@ -1,4 +1,4 @@
-FROM frolvlad/alpine-glibc:alpine-3.13_glibc-2.32
+FROM frolvlad/alpine-glibc:alpine-3.13_glibc-2.32@sha256:cc9a97ed4e27fe0129056fa422d1c54f5a2f7ebe9a2856d7d5a15f17a17614fc
 
 ADD nighthawk_client /usr/local/bin/nighthawk_client
 ADD nighthawk_test_server /usr/local/bin/nighthawk_test_server
diff --git a/ci/docker/Dockerfile-nighthawk-benchmark b/ci/docker/Dockerfile-nighthawk-benchmark
index e0993bc61..c144fef5e 100644
--- a/ci/docker/Dockerfile-nighthawk-benchmark
+++ b/ci/docker/Dockerfile-nighthawk-benchmark
@@ -1,4 +1,4 @@
-FROM frolvlad/alpine-glibc:alpine-3.13_glibc-2.32
+FROM frolvlad/alpine-glibc:alpine-3.13_glibc-2.32@sha256:cc9a97ed4e27fe0129056fa422d1c54f5a2f7ebe9a2856d7d5a15f17a17614fc
 
 CMD ["./benchmarks" "--help"]
 ENV RUNFILES_DIR=/usr/local/bin/benchmarks/benchmarks.runfiles