[Snyk] Security upgrade grafana/grafana from latest to 12.3.0-18578466485 #48
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-ALPINE322-CURL-13277269 - https://snyk.io/vuln/SNYK-ALPINE322-CURL-13277269 - https://snyk.io/vuln/SNYK-ALPINE322-CURL-13277270 - https://snyk.io/vuln/SNYK-ALPINE322-CURL-13277270 - https://snyk.io/vuln/SNYK-ALPINE322-OPENSSL-13174131
Summary of ChangesHello @Giftedx, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request is a crucial security enhancement, automatically initiated by Snyk, to update the base Docker image for Grafana. By moving from a generic 'latest' tag to a specific, patched version, it effectively mitigates multiple low-severity vulnerabilities, ensuring a more secure and stable application environment. The change is minimal, focusing solely on the Dockerfile to pull the updated image. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Pull Request Overview
This is a security upgrade that updates the Grafana Docker base image from latest to a specific version 12.3.0-18578466485 to fix 3 known vulnerabilities related to curl and OpenSSL dependencies in Alpine Linux.
- Updates Grafana base image to specific versioned tag
- Addresses security vulnerabilities in curl (CVE-2025-9086, CVE-2025-10148) and OpenSSL (CVE-2025-9232)
- Replaces
latesttag with pinned version for better reproducibility
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
![gemini-code-assist[bot]](https://waps.l3s.uni-hannover.de/live/im_/https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request from Snyk upgrades the Grafana base image in grafana/Dockerfile to fix several low-severity vulnerabilities. Pinning the base image version is a good practice, moving away from the unpredictable latest tag.
However, there is a critical issue with this PR's scope. It only updates the Grafana instance used in the monitoring stack (defined in docker/docker-compose.monitoring.yml), which builds from this Dockerfile. The Grafana instance in your production-like environment, defined in deploy/docker-compose.prod.yaml, still uses image: grafana/grafana:latest. This means the production Grafana instance will not receive this security update and will remain vulnerable. To fully remediate the vulnerabilities, the grafana service in deploy/docker-compose.prod.yaml must also be updated to a fixed, secure image version.
Additionally, I've left a comment on the Dockerfile regarding the use of what appears to be a non-stable image tag, which could introduce risks.
| @@ -1,5 +1,5 @@ | |||
| # Use official Grafana image as base | |||
| FROM grafana/grafana:latest | |||
| FROM grafana/grafana:12.3.0-18578466485 | |||
There was a problem hiding this comment.
While pinning the base image to a specific version is the correct approach to fix vulnerabilities and ensure build reproducibility, the tag 12.3.0-18578466485 appears to be a non-standard, possibly unstable, build-specific tag. Using such tags can introduce risks if they are not official, stable releases. For long-term maintainability, it's preferable to use official semantic version tags (e.g., 12.3.0) or image digests. If a stable version with the required security patches is not yet available, consider adding a comment here explaining why this specific tag is necessary.
Snyk has created this PR to fix 3 vulnerabilities in the dockerfile dependencies of this project.
Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.
Snyk changed the following file(s):
grafana/DockerfileWe recommend upgrading to
grafana/grafana:12.3.0-18578466485, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.Vulnerabilities that will be fixed with an upgrade:
SNYK-ALPINE322-CURL-13277269
SNYK-ALPINE322-CURL-13277269
SNYK-ALPINE322-CURL-13277270
SNYK-ALPINE322-CURL-13277270
SNYK-ALPINE322-OPENSSL-13174131
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.