fix: update golang container to remove CVE

[saturley-hall]

Overview:

Security scan of operator container resulted in detection of CVE-2025-4802. By bumping the base container to nvcr.io/nvidia/distroless/go:v3.1.12 the vulnerability is no longer detected by NSpect

Relates to OPS-1169

Summary by CodeRabbit

• Chores
  • Updated the operator’s container base image to a newer patch release to incorporate the latest security and maintenance updates.
  • No functional changes expected; existing behavior should remain unchanged.
  • Minor improvements to reliability and runtime environment consistency.
  • End users may see slightly smoother deployments with no action required.

[coderabbitai]

Walkthrough

Updated the Docker base image version in deploy/cloud/operator/Earthfile from distroless/go:v3.1.10 to distroless/go:v3.1.12; no other steps or logic changed.

Changes

Cohort / File(s)	Summary
Operator build config deploy/cloud/operator/Earthfile	Bump distroless/go base image from v3.1.10 to v3.1.12; all other stages unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: switch operator and api store to use approved distroless containers #1570 — Also changes the operator Earthfile’s distroless/go base image, making it configurable and adjusting the default.
• fix: use non-dev golang image for operator #1993 — Updates the same Earthfile to switch between -dev and non-dev distroless/go tags for the operator image.

Poem

I nudge my image, hop by hop,
From .10 to .12—no belly flop.
Distroless dreams in a slimmer stew,
Carrots compiled, containers new.
Thump-thump CI, green lights true—
A tiny bump, and off I flew! 🥕🐇

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description explains the CVE and the base-image bump to nvcr.io/nvidia/distroless/go:v3.1.12 and references OPS-1169, but it does not follow the repository template: it is missing the "Details" section that enumerates exact file/line changes and the "Where should the reviewer start?" section, and the "Related Issues" entry is not presented in the required action-keyword/issue-number format.	Please update the PR description to match the template by adding a "Details" section that lists the changed file(s) (e.g., deploy/cloud/operator/Earthfile) and the exact image version bump, a "Where should the reviewer start?" section pointing reviewers to the relevant file(s), and a "Related Issues" section using the repository's action keyword format (for example "Relates to OPS-1169" or "Closes #"). Also include brief verification notes (such as NSpect scan output or steps to reproduce the scan) so reviewers can confirm the CVE is resolved.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "fix: update golang container to remove CVE" is concise, follows conventional-commit style, and accurately summarizes the primary change (bumping the operator base image to address a CVE), so a teammate scanning history will understand the main intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

deploy/cloud/operator/Earthfile (1)

39-49: Harden supply chain: pin by digest and ensure non-root ownership of the binary.

• Tags can drift; pin to an image digest for reproducible, tamper‑resistant builds.
• Set ownership at copy time; avoids root-owned artifacts when running as UID 65532.

Apply:

 docker:
     ARG DOCKER_SERVER=my-registry
     ARG IMAGE_TAG=latest
     ARG IMAGE_SUFFIX=dynamo-operator
-    FROM nvcr.io/nvidia/distroless/go:v3.1.12
+    # Pin to immutable digest to prevent tag drift
+    ARG GO_IMAGE="nvcr.io/nvidia/distroless/go@sha256:<REPLACE_WITH_DIGEST>"
+    FROM $GO_IMAGE
     WORKDIR /
-    COPY +build/manager .
+    COPY --chown=65532:65532 +build/manager /manager
     USER 65532:65532
-    CMD ["./manager"]
+    CMD ["/manager"]
     SAVE IMAGE --push $DOCKER_SERVER/$IMAGE_SUFFIX:$IMAGE_TAG

If you prefer to keep the tag in VCS, at least add a comment with the resolved digest and pin in CI/CD.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 002617a and a7e4c65.

📒 Files selected for processing (1)

• deploy/cloud/operator/Earthfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and Test - sglang
• GitHub Check: Build and Test - dynamo

🔇 Additional comments (1)

deploy/cloud/operator/Earthfile (1)

43-43: Approve — bump nvcr.io/nvidia/distroless/go to v3.1.12

rg output shows no remaining v3.1.10/11 references and the only occurrence is deploy/cloud/operator/Earthfile:43.