Skip to content

fix: trivy unknown severitis for test/kaito-base image #1747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zhuangqh merged 1 commit into from
Feb 2, 2026
Merged

fix: trivy unknown severitis for test/kaito-base image #1747

zhuangqh merged 1 commit into from
Feb 2, 2026

Conversation

@rambohe-ch
Copy link
Collaborator

@rambohe-ch rambohe-ch commented Jan 28, 2026
edited
Loading

Reason for Change:

  1. I've met the trivy error in this pull request: https://github.com/kaito-project/kaito/actions/runs/21424380339/job/61690448685, and there are 36 unknown severities for test/kaito-base:v0.0.1 image.

in this pull request, we update Debian package handling in [Dockerfile] to run apt-get install related libs, so security-fixed packages (like OpenSSL) get pulled in during image build.

  1. install opencv related libs for ministral model depends on them.

Requirements

  • added unit tests and e2e tests (if applicable).

Issue Fixed:

Notes for Reviewers:

@kaito-pr-agent
Copy link

kaito-pr-agent bot commented Jan 28, 2026

Title

Fix trivy unknown severities by upgrading Debian packages in Dockerfile

Description

  • Fixed trivy unknown severities by upgrading Debian packages

  • Improved Dockerfile security with apt-get upgrade

  • Added autoremove step to clean unused packages

  • Enhanced package installation process

Changes walkthrough 📝

Relevant files
Bug fix
Dockerfile
Update Debian package handling to include upgrades and autoremove

docker/presets/models/tfs/Dockerfile

  • Added apt-get upgrade -y to apply security updates
  • Added apt-get autoremove -y to remove unused packages
  • Improved apt-get install command structure with explicit flags
  • Enhanced package installation process for security
    		• +4/-1     
    Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    		•

    @kaito-pr-agent
    Copy link

    kaito-pr-agent bot commented Jan 28, 2026

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ No major issues detected

    @kaito-pr-agent
    Copy link

    kaito-pr-agent bot commented Jan 28, 2026

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Impact
    Security
    Remove apt-get upgrade for security

    Avoid using apt-get upgrade in Dockerfiles as it can cause unpredictable builds and
    security issues. Instead, pin package versions explicitly. The upgrade command may
    install incompatible versions and bloat the image. Remove this line to maintain
    deterministic builds.

    docker/presets/models/tfs/Dockerfile [15-19]

     RUN apt-get update -y && \
-    apt-get upgrade -y && \
     apt-get install --no-install-recommends -y curl gcc libc-dev perl && \
     apt-get autoremove -y && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
    Suggestion importance[1-10]: 9

    __

    Why: Removing apt-get upgrade addresses security risks and ensures deterministic builds by preventing unexpected package upgrades. This aligns with Docker best practices for image stability.

    		High

    @zhuangqh
    Copy link
    Collaborator

    zhuangqh commented Jan 28, 2026

    please bump the base image tag in kaito/presets/workspace/models/support_models.yaml

    @rambohe-ch
    Copy link
    Collaborator Author

    rambohe-ch commented Jan 28, 2026

    please bump the base image tag in kaito/presets/workspace/models/support_models.yaml

    fixed, PTAL

    @rambohe-ch rambohe-ch force-pushed the fix-trivy-unknow-severity branch from 1279547 to ac0ccbf Compare January 31, 2026 10:25
    @rambohe-ch rambohe-ch force-pushed the fix-trivy-unknow-severity branch from 5964460 to 81e542b Compare February 2, 2026 03:21
    @rambohe-ch rambohe-ch mentioned this pull request Feb 2, 2026
    Open
    1 task
    @zhuangqh
    Copy link
    Collaborator

    zhuangqh commented Feb 2, 2026

    Upgrade Compatibility Test is broken because the base image tag was bumped but the upgrade test try to use it.
    Skip this test as this test should be recovered once official base image is released.

    @zhuangqh zhuangqh merged commit 67524e5 into kaito-project:main Feb 2, 2026
    19 of 21 checks passed
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    @zhuangqh zhuangqh zhuangqh approved these changes

    @Fei-Guo Fei-Guo Fei-Guo approved these changes

    @chewong chewong Awaiting requested review from chewong chewong is a code owner

    Assignees

    No one assigned

    Labels

    Review effort 1/5

    Projects

    KAITO Roadmap
    Status: Done

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    3 participants

    @rambohe-ch @zhuangqh @Fei-Guo