v0.5.4

Download binaries at https://crashoverride.com/downloads

---

Fixes

• chalk insert was running external tools on the exact path being chalked. For example chalk insert hello.py would run semgrep on hello.py. Now chalk will compute nearest git repository and run external tools on it instead. (#485)
• When Dockerfile specifies syntax directive, chalk checks buildkit frontend version compatibility as older frontends do not support --build-context CLI argument. Passing the flag would fail the wrapped build and chalk would fallback to vanilla docker build. More about syntax directive here. (#486)
• Heartbeat reports had older timestamps. Reporting state was cleared before sleeping for the heartbeat which meant that timestamp was always off by the heartbeats interval - default 10 minutes. (#487)

New Features

• EXTERNAL_TOOL_DURATION key which reports external tool duration for each invocation. (#488)
• run_secret_scanner_tools configuration which then collects new SECRET_SCANNER key. Currently only trufflehog is supported. (#489)

---

Commits since the previous tag: v0.5.3...v0.5.4

v0.5.3

Download binaries at https://crashoverride.com/downloads

---

Fixes

• Incorrect base image for DOCKER_COPY_IMAGES when using stage index (e.g. COPY --from=<index>). (#479)
• Installing shell autocompletion script was wiping bash/zsh rc files. (#480)

---

Commits since the previous tag: v0.5.2...v0.5.3

v0.5.2

Download binaries at https://crashoverride.com/downloads

---

Fixes

• _REPO_TAGS did not include all pushed tags when using buildx build --push without --load. (#471)

• Requests to AWS API were incorrectly signed due to additional headers being included in AWS sigv4. This impacted:

  • uploading reports to s3 sink
  • lambda plugin as it could not get caller identity

  This was a regression from 0.4.14. (nimutils #82, #473)

---

Commits since the previous tag: v0.5.1...v0.5.2

v0.5.1

Download binaries at https://crashoverride.com/downloads

---

Fixes

• For docker build, --platform was not honored when pinning base images. (#468)
• _REPO_URLS was not extracting org.opencontainers.image.url annotation correctly. (#468)

---

Commits since the previous tag: v0.5.0...v0.5.1

v0.5.0

Download binaries at https://crashoverride.com/downloads

---

Breaking Changes

• Changes to docker image related fields.

  Removed keys:

  • _IMAGE_DIGEST - there are cases when the image digest is mutated. For example docker pull && docker push drops all manifest annotations resulting in a change to the digest. It is recommended to use _REPO_DIGESTS instead as it will include all digests per repository.
  • _IMAGE_LIST_DIGEST - it is possible to create manifests outside the build context which results in multiple list manifests for the same image. The new _REPO_LIST_DIGESTS key provides a list of all digests per repository.

  Changed keys:

  • _REPO_DIGESTS previously (and incorrectly) would return the first registry and the image digest. This key now provides a list of image digests by registry and image name.

    Before:

    {
      // old format
      "_REPO_DIGESTS": {
        "224111541501.dkr.ecr.us-east-1.amazonaws.com/co/chalketl/scripts": "249ce02d7f5fe0398fc87c2fb6c225ef78912f038f4be4fe9c35686082fe3cb0"
      }
    }

    Now:

    {
      // new format
      "_REPO_DIGESTS": {
        "registry-1.docker.io": {
          "library/alpine": [
            "029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85"
          ]
        }
      }
    }

  • _REPO_TAGS now includes tags which are only available in the registry. Builds without --push, even when provided with --tag, will not populate _REPO_TAGS anymore. In addition similarly to _REPO_DIGESTS, it is an object where each tag is associated with its digest (either list or image digest). For example:

    {
      "_REPO_TAGS": {
        "registry-1.docker.io": {
          "library/alpine": {
            "latest": "1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a"
          }
        }
      }
    }

  • DOCKER_BASE_IMAGES - sub-keys:

    • name renamed to uri; contains the full repository uri (tag and digest)
    • new registry key; the normalized registry uri (domain and optional port)
    • new name key; the normalized repo name within the registry

    Before:

    // old format
    {
      "from": "nginx:1.27.0",
      "tag": "1.27.0",
      "name": "nginx:1.27.0",
      "repo": "nginx"
    }

    Now:

    // new format
    {
      "from": "nginx:1.27.0@sha256:97b83c73d3165f2deb95e02459a6e905f092260cd991f4c4eae2f192ddb99cbe",
      "uri": "nginx:1.27.0@sha256:97b83c73d3165f2deb95e02459a6e905f092260cd991f4c4eae2f192ddb99cbe",
      "repo": "nginx",
      "registry": "registry-1.docker.io",
      "name": "library/nginx",
      "tag": "1.27.0",
      "digest": "97b83c73d3165f2deb95e02459a6e905f092260cd991f4c4eae2f192ddb99cbe"
    }

  • DOCKER_COPY_IMAGES - similar to DOCKER_BASE_IMAGES, the name key has been renamed to uri and adds the registry and name keys.

  New keys:

  • _REPO_LIST_DIGESTS - similar to _REPO_DIGESTS but enumerates any known list digests. Example:

    {
      "_REPO_LIST_DIGESTS": {
        "registry-1.docker.io": {
          "library/alpine": [
            "1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a"
          ]
        }
      }
    }

  • _REPO_URLS - similar to _REPO_DIGESTS but shows human-accessible URL, if known as per OCI image annotation or computed for Docker Hub images. Example:

    {
      "_REPO_URLS": {
        "registry-1.docker.io": {
          "library/alpine": "https://hub.docker.com/_/alpine"
        }
      }
    }

  NOTE: All _REPO_* keys normalize registry to its canonical domain. For example, docker hub is normalized to registry-1.docker.io. Additionally, all image names are normalized to how they are stored in the registry. Note library/ prefix for alpine in the example above.

  (#450, #453, #464)

• Git time-related fields are now reported in ISO-8601 format whereas previously it was reporting using default git format.

  Before:

  {
    "DATE_AUTHORED": "Tue Dec 10 11:46:06 2024 -0500",
    "DATE_COMMITTED": "Tue Dec 10 11:46:06 2024 -0500",
    "DATE_TAGGED": "Tue Dec 10 11:46:06 2024 -0500"
  }

  Now:

  {
    "DATE_AUTHORED": "2024-12-10T16:46:06.000Z",
    "DATE_COMMITTED": "2024-12-10T18:49:00.000Z",
    "DATE_TAGGED": "2024-12-10T18:49:00.000Z"
  }

  This also affects all host-level keys in addition to chalk-level keys:

  • DATE_AUTHORED
  • DATE_COMMITTED
  • DATE_TAGGED
  • _DATE_AUTHORED
  • _DATE_COMMITTED
  • _DATE_TAGGED

  To make parsing easier, in addition to human readable DATE_* fields, new TIMESTAMP_* fields are added which report milliseconds since Unix epoch:

  {
    "DATE_AUTHORED": "2024-12-10T16:46:06.000Z",
    "DATE_COMMITTED": "2024-12-10T18:49:00.000Z",
    "DATE_TAGGED": "2024-12-10T18:49:00.000Z",
    "TIMESTAMP_AUTHORED": 1733849166000,
    "TIMESTAMP_COMMITTED": 1733856540000
    "TIMESTAMP_TAGGED": 1733856540000
  }

  (#458)

• All datetime fields are now reported in UTC TZ whereas previously were reported in machines local TZ (#458)

Fixes

• DOCKERFILE_PATH_WITHIN_VCTL key is no longer reported when providing Dockerfile contents via stdin (#454).

• Git time-related fields report accurate timezone now. Previously wrong commit TZ was being reported as committed in git which was not correct. (#458)

• _OP_ERRORS includes all logs from chalkmark ERR_INFO, even when its collection fails (#459)

• docker buildx build without both --push or --load report their chalkmarks now. Chalkmarks however are missing any runtime keys as those cannot be inspected due to image neither being pushed to a registry or loaded into local daemon. Such an image is normally inaccessible however it is still in buildx cache hence it can be used in subsequent builds. (#459)

New Features

• Chalk pins base images in Dockerfile. For example:

  FROM alpine

  Will be pinned to:

  FROM alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d

  This makes docker build deterministic and avoids any possible race conditions between chalk looking up metadata about base image and actual docker build. (#449)

• Docker annotations new keys:

  • DOCKER_ANNOTATIONS - all --annotations using in docker build
  • _IMAGE_ANNOTATIONS - found annotations for an image in registry

  (#452)

• Docker base image keys:

  • _OP_ARTIFACT_CONTEXT - what is the context of the artifact. For docker build its either build or base.
  • DOCKER_BASE_IMAGE_REGISTRY - just registry of the base image
  • DOCKER_BASE_IMAGE_NAME - repo name within the registry
  • DOCKER_BASE_IMAGE_ID - image id (config digest) of the base image
  • DOCKER_BASE_IMAGE_METADATA_ID - id of the base image chalkmark
  • `DOCKER_BASE_IMAGE_CHALK`` - full chalkmark of base image
  • _COLLECTED_ARTIFACTS - similar to _CHALKS but reports collected information about potentially non-chalked artifacts such as the base image. If the base image is chalked it can be correlated with the build chalkmark via METADATA_ID. Otherwise both artifacts can be linked via the digest or the image id.

  (#453, #463)

• _IMAGE_LAYERS key which collects image layer digests as it is stored in the registry. This should allow to correlate base images by matching layer combinations from other images. (#456)

• _DOCKER_USED_REGISTRIES - Configurations about all used docker registires during chalk operation. For example:

  {
    "_DOCKER_USED_REGISTIES" {
      "example.com:5044": {
        "url": "https://example.com:5044/v2/",
        "mirroring": "registry-1.docker.io",
        "source": "buildx",
        "scheme": "https",
        "http": false,
        "secure": true,
        "insecure": false,
        "auth": true,
        "www_auth": false,
        "pinned_cert_path": "/etc/buildkit/certs/example_com_5044/ca.crt",
        "pinned_cert": "-----BEGIN CERTIFICATE-----\n..."
      }
    }
  }

  (#461)

---

Commits since the previous tag: v0.4.14...v0.5.0

v0.4.14

Download binaries at https://crashoverride.com/downloads

---

Breaking Changes

• Changes in embed attestation provider configuration. Removed attestation_key_embed.location configuration. It is replaced with these configurations:

  • attestation_key_embed.filename
  • attestation_key_embed.save_path
  • attestation_key_embed.get_paths

  This allows to separate paths where chalk setup look-ups keys as well where chalk will save generated key. Also this allows to lookup keys relative to chalk binary which is better suited for CI workflows where it might not be desirable to add additional files in current working directory. (#445)

• chalk setup requires interactive shell to generate new key-material. This will avoid accidentally generating new keys in CI. (#447)

Fixes

• When running semgrep, its always added to PATH, as otherwise semgrep is not able to find pysemgrep folder. (#439)
• Docker pushing non-chalked images did not report metsys plugin keys such as _EXIT_CODE, _CHALK_RUN_TIME. (#438)
• External tools for non-file artifacts (e.g. docker image) sent duplicate keys in both report-level as well as chalk-mark level. For example SBOM key with equivalent content was duplicated twice. (#440)
• Memory leak in HTTP wrappers in nimutils. This mostly manifested in chalk exec when heartbeats were enabled as roughly each heartbeat would increase memory footprint by ~1Mb. (#443)

New Features

• _EXEC_ID key which is unique for each chalk execution for all commands while chalk process is alive. For example it will send consistent values for both exec and heartbeat reports hence allowing to tie both reports together.
• heartbeat report template. It is a minimal reporting template which is now used as the default report template for all heartbeat reports. Main purpose of heartbeat is to indicate liveliness hence such a minimal report. All other metadata should be collected as part of exec report instead.

---

Commits since the previous tag: v0.4.13...v0.4.14

v0.4.13

Download binaries at https://crashoverride.com/downloads

---

New Features

• _OP_EXIT_CODE key which reports external commands exit code such as for chalk docker build. (#417)

• _OP_CLOUD_SYS_VENDOR key for reporting sys vendor file content used to identity cloud provider. (#418)

• FAILED_KEYS and _OP_FAILED_KEYS - metadata keys which chalk could not collect metadata for. (#422) Each key contains:

  • code - short identifiable code of a known error
  • message - exact encountered error/exception message
  • description - human-readable description of the error with additional context how to potentially resolve it

• _NETWORK_PARTIAL_TRACEROUTE_IPS - collect local network subnet IPs even when running inside docker network-namespaced (not using --network=host) container (#425)

• DOCKERFILE_PATH_WITHIN_VCTL key reports the path of a Dockerfile relative to the VCS' project root. (#426)

---

Commits since the previous tag: v0.4.12...v0.4.13

v0.4.12

Download binaries at https://crashoverride.com/downloads

---

Breaking Changes

• Removing attestation_key_backup provider. It was an experimental service which is discontinued in favor of other attestation providers. (#411)

Fixes

• conffile plugin was sending some empty keys vs skipping them during reporting. Now it has matching behavior to
  other plugins which ignores empty keys. (#412)
• AWS instance is determined from board_asset_tag file when present. This allows to report _AWS_INSTANCE_ID even
  when cloud metadata endpoint is not reachable. (#413)
• Reporting AWS Lambda functions ARN for non-us-east-1 regions. Previously global STS AWS endpoint was used
  which cannot fetch STS get-caller-identity for other AWS regions. (#414)

---

Commits since the previous tag: v0.4.11...v0.4.12

v0.4.11

Download binaries at https://crashoverride.com/downloads

---

Fixes

• docker run-time host metadata collection was failing for non-build commands such as docker push. (#399)
• procfs plugin was throwing an exception while parsing /proc/net/dev to populate _OP_IPV[4/6]_INTERFACES keys.
  (#399)
• _IMAGE_DIGEST is sent for docker push when buildx is not available. Normally chalk needs to validate type of the manifest in the registry (image or list) which is currently done via buildx imagetools. When buildx is missing and the operation was docker push the pushed image can only be image manifest as only buildx supports list manifests. (#401)
• _REPO_DIGESTS was reported even when image digest was not known during buildx-enabled docker builds. (#402)
• METADATA_ID and METADATA_HASH were incorrectly computed for all docker push operations. (#403)

---

Commits since the previous tag: v0.4.10...v0.4.11

v0.4.10

Download binaries at https://crashoverride.com/downloads

---

Fixes

• Fixing ENTRYPOINT wrapping for empty-like definitions (#396):

  • ENTRYPOINT
  • ENTRYPOINT []
  • ENTRYPOINT [""]
    Now chalk correctly parses and wraps as appropriate
    depending on the use of buildkit.

Other

• Increasing cloud metadata endpoint collection timeout from 500ms to 1sec as in some cases it takes longer than 500ms to get a response. (#388)
• Not showing exec report when chalk is running in interactive shell. (#390)
• Not showing any chalk exec logs when running in interactive shell. (#394)

---

Commits since the previous tag: v0.4.9...v0.4.10