Fork AutoDevOps buildpacks and fix vulnerabilities
Problem to solve
The AutoDevOps container_scanning jobs reports vulnerabilities in the gliderlabs/herokuish:latest
buildpack image that is used by the build stage.
We are able to reproduce this on gitlab.com for the above image as well as the heroku/buildpacks:18
image used by the proposed cloud native buildpacks feature which is in beta.
Note that even when configuring the CI/CD variable AUTO_DEVOPS_BUILD_IMAGE_CNB_BUILDER
to use the heroku/buildpacks:latest
image there are still vulnerabilities being reported.
Proposal
I propose that we fork the buildpack images, fix the vulnerabilities, push the images back to our registry and use these images in the build stage of AutoDevOps.
Then continue to maintain these images to ensure that they are secure.
What does success look like, and how can we measure that?
Nightly builds of our forked buildpacks image should report 0 vulnerabilities.
Links / references
Pipelines that report vulnerabilities for the buildpacks.
This issue was raised by an Ultimate customer in https://gitlab.zendesk.com/agent/tickets/187306 (internal use only).
Related to Move Auto DevOps to Cloud Native Buildpacks by default instead of Herokuish.
Note that I was unsure whether to open this issue under the auto-build-image project but the other related issues appear to reside here.