Skip to content

build: enable Go FIPS profile#53

Open
omercnet wants to merge 4 commits into
mainfrom
verity-fips-base-image
Open

build: enable Go FIPS profile#53
omercnet wants to merge 4 commits into
mainfrom
verity-fips-base-image

Conversation

@omercnet

@omercnet omercnet commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

  • switch the manual Docker build to Verity's pinned Go 1.26 FIPS builder
  • pin Go FIPS builds to GOFIPS140=v1.0.0 and enable GODEBUG=fips140=on for release/manual builds
  • expose GODEBUG=fips140=on and GOFIPS140=v1.0.0 in the runtime image and k8s deployment

Aligned with Verity FIPS hardening in verity-org/verity#541.

Validation

  • make build
  • docker build -t pgpeek:fips-test .
  • make test
  • go version -m ./pgpeek shows DefaultGODEBUG=fips140=on and GOFIPS140=v1.0.0-c2097c7c
  • docker image inspect pgpeek:fips-test shows GODEBUG=fips140=on and GOFIPS140=v1.0.0
  • kubectl kustomize k8s/ renders GODEBUG=fips140=on and GOFIPS140=v1.0.0
  • runtime smoke with disposable Postgres: /healthz returned 200 ok

Note: goreleaser is not installed in this local environment; config validation will run in CI via the existing pinned goreleaser action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant