Alpine 3.9 is End-of-Life (EOL) → critical issue.
zlib 1.2.11-r1 has CVE-2022-37434 → fixed in 1.2.12-r3+.
Use a supported Alpine version (3.19 or 3.20) and update packages.
Name: zlib, Version: 1.2.11-r1
Failed policy: Default vulnerabilities policy
CVE-2022-37434, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2022-37434
CVSS score: 9.8, CVSS exploitability score: 3.9
Fixed version: 1.2.12-r3
Has public exploit
Layer build command: 'COPY /workspace/webhook /usr/local/bin/webhook # buildkit'
End of life technologies:
Name: Linux Alpine, Version: 3.9.6
EOL-OPERATING-SYSTEM, Severity: CRITICAL, Source:
Fixed version: 3.20.9
The fix:
FROM golang:1.20-alpine AS build_deps
RUN apk add --no-cache git
WORKDIR /workspace
ENV GO111MODULE=on
COPY go.mod .
COPY go.sum .
RUN go mod download
FROM build_deps AS build
COPY . .
RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
FROM alpine:3.20
RUN apk add --no-cache ca-certificates
COPY --from=build /workspace/webhook /usr/local/bin/webhook
ENTRYPOINT ["webhook"]
Alpine 3.9 is End-of-Life (EOL) → critical issue.
zlib 1.2.11-r1 has CVE-2022-37434 → fixed in 1.2.12-r3+.
Use a supported Alpine version (3.19 or 3.20) and update packages.
Layer build command: 'COPY /workspace/webhook /usr/local/bin/webhook # buildkit'
End of life technologies:
Name: Linux Alpine, Version: 3.9.6
EOL-OPERATING-SYSTEM, Severity: CRITICAL, Source:
Fixed version: 3.20.9
The fix:
FROM golang:1.20-alpine AS build_deps
RUN apk add --no-cache git
WORKDIR /workspace
ENV GO111MODULE=on
COPY go.mod .
COPY go.sum .
RUN go mod download
FROM build_deps AS build
COPY . .
RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
FROM alpine:3.20
RUN apk add --no-cache ca-certificates
COPY --from=build /workspace/webhook /usr/local/bin/webhook
ENTRYPOINT ["webhook"]