Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is there a secure ssh step for bitbucket pipelines

Stephan Eicher
Stephan Eicher
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 6, 2023

I saw that the `ssh-run` bitbucket pipeline still relies on `alpine:3.9` container image.

https://bitbucket.org/atlassian/ssh-run/src/798568418ced843e20e6465092a74b1a04a8dd66/Dockerfile#lines-1

As far as i could find the security updates for that release were stopped on 01 Jan 2021

I suspect that this old release includes many security issues which were fixed in newer versions of alpine linux.

This should definitely be fixed as this container has access to private keys used to deploy software to production systems.

Answer
Watch
Like Be the first to like this
577 views

2 answers

1 accepted

0 votes
Answer accepted
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 26, 2023

@Stephan Eicher hi. The alpine image updated in following pipes:

 

Regards, Igor

Reply
0 votes
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 6, 2023

@Stephan Eicher hi. Thanks for your investigation.
We will update the ssh-run pipe docker image  and notify you.

 

Regards, Igor

View More Comments
Like
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 18, 2023

@Stephan Eicher hi. According to this page:

python 3.10 EOL will be 2026-10, so no changes needed.

But we will update alpine image in your listed in the comments pipes.

We have more than 50 pipes to maintain, so, unfortunately, our strategy usually when no new features to be implemented is to wait for users feature request.
You could always ask us in the community to bump a pipe version or even create a pull-request by yourself since it is open-sourced.

Also keep in mind that pipes are not the same as pipelines.

Pipes provide a simple way to configure a pipeline. They are especially powerful when you want to work with third-party tools. More details here.

 

Regards, Igor

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events