Allow SHA-256 digests in container image references (#3352)

lpcox · web-flow · commit 6333a1c87103 · 2026-04-07T19:40:30.000-07:00
The `container` field regex rejects `@sha256:` digest-pinned image references, blocking immutable container image pinning for supply-chain security. ### Changes - **Regex pattern** (`validation_schema.go`): Append optional `(@sha256:[a-fA-F0-9]{64})?` group to `containerPattern` - **JSON schema** (`mcp-gateway-config.schema.json`): Mirror the same pattern update - **Tests**: Add valid cases (`image:tag@sha256:...`, `image@sha256:...`) and invalid cases (short digest, wrong algorithm) Now accepts: ``` ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c67a0adca... ghcr.io/github/github-mcp-server@sha256:2763823c67a0adca... ``` No launcher changes needed — Docker already resolves the full `image:tag@sha256:...` reference passed through. > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build2438908248/b514/launcher.test /tmp/go-build2438908248/b514/launcher.test -test.testlogfile=/tmp/go-build2438908248/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s go_.�� @v1.1.3/internal-errorsas 64/src/debug/dwa-ifaceassert x_amd64/vet --gdwarf-5 nal/version -o x_amd64/vet -plu�� /sdk@v1.43.0/tra-errorsas /sdk@v1.43.0/tra-ifaceassert x_amd64/vet -plugin-opt=-pasdocker telabs/wazero/ininfo -plugin-opt=-pas-stringintconv x_amd64/vet` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2438908248/b496/config.test /tmp/go-build2438908248/b496/config.test -test.testlogfile=/tmp/go-build2438908248/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2438908248/b393/vet.cfg g_.a --debug-prefix-map x_amd64/vet -I 0218966/b157/ -I x_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build2438908248/b514/launcher.test /tmp/go-build2438908248/b514/launcher.test -test.testlogfile=/tmp/go-build2438908248/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s go_.�� @v1.1.3/internal-errorsas 64/src/debug/dwa-ifaceassert x_amd64/vet --gdwarf-5 nal/version -o x_amd64/vet -plu�� /sdk@v1.43.0/tra-errorsas /sdk@v1.43.0/tra-ifaceassert x_amd64/vet -plugin-opt=-pasdocker telabs/wazero/ininfo -plugin-opt=-pas-stringintconv x_amd64/vet` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build2438908248/b514/launcher.test /tmp/go-build2438908248/b514/launcher.test -test.testlogfile=/tmp/go-build2438908248/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s go_.�� @v1.1.3/internal-errorsas 64/src/debug/dwa-ifaceassert x_amd64/vet --gdwarf-5 nal/version -o x_amd64/vet -plu�� /sdk@v1.43.0/tra-errorsas /sdk@v1.43.0/tra-ifaceassert x_amd64/vet -plugin-opt=-pasdocker telabs/wazero/ininfo -plugin-opt=-pas-stringintconv x_amd64/vet` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2438908248/b523/mcp.test /tmp/go-build2438908248/b523/mcp.test -test.testlogfile=/tmp/go-build2438908248/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s -p g_.a -trimpath x_amd64/vet -I ernal/proxy -I x_amd64/vet -uns�� .cfg /tmp/go-build1090218966/b063/vet-ifaceassert x_amd64/vet -D GOAMD64_v1 -o x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/internal/config/schema/mcp-gateway-config.schema.json b/internal/config/schema/mcp-gateway-config.schema.json
@@ -74,9 +74,9 @@
         },
         "container": {
           "type": "string",
-          "description": "Container image for the MCP server (e.g., 'ghcr.io/example/mcp-server:latest'). This field is required for stdio servers per MCP Gateway Specification section 4.1.2.",
+          "description": "Container image for the MCP server (e.g., 'ghcr.io/example/mcp-server:latest' or 'ghcr.io/example/mcp-server@sha256:<digest>'). This field is required for stdio servers per MCP Gateway Specification section 4.1.2.",
           "minLength": 1,
-          "pattern": "^[a-zA-Z0-9][a-zA-Z0-9./_-]*(:([a-zA-Z0-9._-]+|latest))?$"
+          "pattern": "^[a-zA-Z0-9][a-zA-Z0-9./_-]*(:([a-zA-Z0-9._-]+|latest))?(@sha256:[a-fA-F0-9]{64})?$"
         },
         "entrypoint": {
           "type": "string",
diff --git a/internal/config/validation_schema.go b/internal/config/validation_schema.go
@@ -59,7 +59,7 @@ func isTransientHTTPError(statusCode int) bool {
 
 var (
 	// Compile regex patterns from schema for additional validation
-	containerPattern = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9./_-]*(:([a-zA-Z0-9._-]+|latest))?$`)
+	containerPattern = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9./_-]*(:([a-zA-Z0-9._-]+|latest))?(@sha256:[a-fA-F0-9]{64})?$`)
 	urlPattern       = regexp.MustCompile(`^https?://.+`)
 	mountPattern     = regexp.MustCompile(`^[^:]+:[^:]+:(ro|rw)$`)
 	domainVarPattern = regexp.MustCompile(`^\$\{[A-Z_][A-Z0-9_]*\}$`)
@@ -506,7 +506,7 @@ func validateStringPatterns(stdinCfg *StdinConfig) error {
 			if server.Container != "" && !containerPattern.MatchString(server.Container) {
 				return rules.InvalidPattern("container", server.Container,
 					fmt.Sprintf("%s.container", jsonPath),
-					"Use a valid container image format (e.g., 'ghcr.io/owner/image:tag' or 'owner/image:latest')")
+					"Use a valid container image format (e.g., 'ghcr.io/owner/image:tag', 'owner/image:latest', or 'ghcr.io/owner/image:tag@sha256:<digest>')")
 			}
 
 			// Validate mount patterns
diff --git a/internal/config/validation_schema_test.go b/internal/config/validation_schema_test.go
@@ -365,6 +365,30 @@ func TestValidateStringPatterns(t *testing.T) {
 			},
 			shouldErr: false,
 		},
+		{
+			name: "valid container pattern - tag with sha256 digest",
+			config: &StdinConfig{
+				MCPServers: map[string]*StdinServerConfig{
+					"test": {
+						Type:      "stdio",
+						Container: "ghcr.io/owner/image:v1.2.3@sha256:2763823c67a0adca3fce6e3bdfee41a674e3bf22f0e6b2eee94ed3a72ebcd519",
+					},
+				},
+			},
+			shouldErr: false,
+		},
+		{
+			name: "valid container pattern - sha256 digest only",
+			config: &StdinConfig{
+				MCPServers: map[string]*StdinServerConfig{
+					"test": {
+						Type:      "stdio",
+						Container: "ghcr.io/owner/image@sha256:2763823c67a0adca3fce6e3bdfee41a674e3bf22f0e6b2eee94ed3a72ebcd519",
+					},
+				},
+			},
+			shouldErr: false,
+		},
 		{
 			name: "invalid container pattern - starts with special char",
 			config: &StdinConfig{
diff --git a/internal/config/validation_string_patterns_test.go b/internal/config/validation_string_patterns_test.go
@@ -64,6 +64,19 @@ func TestValidateStringPatternsComprehensive(t *testing.T) {
 				serverType:  "",
 				shouldError: false,
 			},
+			// Valid container patterns with SHA-256 digest
+			{
+				name:        "valid container with tag and sha256 digest",
+				container:   "ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c67a0adca3fce6e3bdfee41a674e3bf22f0e6b2eee94ed3a72ebcd519",
+				serverType:  "stdio",
+				shouldError: false,
+			},
+			{
+				name:        "valid container with sha256 digest only",
+				container:   "ghcr.io/github/github-mcp-server@sha256:2763823c67a0adca3fce6e3bdfee41a674e3bf22f0e6b2eee94ed3a72ebcd519",
+				serverType:  "stdio",
+				shouldError: false,
+			},
 			// Invalid container patterns
 			{
 				name:        "invalid container starts with special char",
@@ -86,6 +99,20 @@ func TestValidateStringPatternsComprehensive(t *testing.T) {
 				shouldError: true,
 				errorField:  "container",
 			},
+			{
+				name:        "invalid container sha256 digest too short",
+				container:   "ghcr.io/github/github-mcp-server@sha256:short",
+				serverType:  "stdio",
+				shouldError: true,
+				errorField:  "container",
+			},
+			{
+				name:        "invalid container wrong digest algorithm",
+				container:   "ghcr.io/github/github-mcp-server@md5:2763823c67a0adca3fce6e3bdfee41a674e3bf22f0e6b2eee94ed3a72ebcd519",
+				serverType:  "stdio",
+				shouldError: true,
+				errorField:  "container",
+			},
 			{
 				name:        "invalid container empty string accepted (empty is valid)",
 				container:   "",
