Dockerfile: Bun installed via unverified curl | bash while Node base images are SHA256-pinned

[fede-kamel]

Summary

Dockerfile:47 fetches and executes the Bun installer from https://bun.sh/install with no version pin, checksum, or signature verification:

```dockerfile
if curl --retry 5 --retry-all-errors --retry-delay 2 -fsSL https://bun.sh/install | bash; then
```

This is inconsistent with how every other base image in the same Dockerfile is handled. Lines 15–16 pin both Node images to SHA256 digests:

```dockerfile
ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354..."
ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b..."
```

Impact

If bun.sh or its CDN is compromised (DNS hijack, CDN takeover, or domain compromise), every Docker image build silently installs and executes attacker-controlled code as root inside the build container. Any CI/CD pipeline rebuilding this image becomes a supply chain vector — the malicious binary ends up in the final runtime image shipped to users.

The retry loop (attempts 1–5) makes this worse: a partial compromise that returns a malicious script on retry 2 would still succeed.

Correct version

.github/actions/setup-node-env/action.yml:50 pins Bun to 1.3.9 via oven-sh/setup-bun@v2.2.0. The Dockerfile should use the same version.

Fix

Replace the curl | bash block with a multi-stage COPY from the official Bun image, keeping the version in sync with CI:

```dockerfile
ARG BUN_VERSION=1.3.9

... other stages ...

FROM ${OPENCLAW_NODE_BOOKWORM_IMAGE} AS build
ARG BUN_VERSION
COPY --from=oven/bun:${BUN_VERSION} /usr/local/bin/bun /usr/local/bin/bun
```

Remove the existing RUN set -eux; for attempt in ... block and the ENV PATH="/root/.bun/bin:${PATH}" line (no longer needed since /usr/local/bin is already on PATH).

For full parity with the Node image pinning strategy, the oven/bun image should also be pinned to a SHA256 digest and updated via Dependabot alongside the Node digests.

Affected file

• Dockerfile:43–55

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still executes the Bun installer from bun.sh during the root Docker build while the same Dockerfile digest-pins Node base images, and #74359 is an open implementation candidate with closing syntax for this issue.

Reproducibility: yes. Static inspection of current main is enough: Dockerfile:47 still pipes https://bun.sh/install to bash, while Dockerfile:15-16 digest-pin the Node base images.

Next step
No separate repair lane should be queued because #74359 is already the open implementation candidate and the remaining choice is security-sensitive maintainer review.

Security
Needs attention: Current main still has a Docker build supply-chain exposure from executing an unverified remote Bun installer script.

Review details

Best possible solution:

Use a maintainer-approved pinned or verified Bun source in the root Dockerfile, update the Docker docs and update policy at the same time, and keep Docker/CI Bun version anchors aligned.

Do we have a high-confidence way to reproduce the issue?

Yes. Static inspection of current main is enough: Dockerfile:47 still pipes https://bun.sh/install to bash, while Dockerfile:15-16 digest-pin the Node base images.

Is this the best way to solve the issue?

Unclear on the exact source policy, but the requested direction is the narrow maintainable fix. #74359 or an equivalent maintainer-approved change should be reviewed before closing this issue.

Security concerns:

• [high] Unverified Bun installer executes during Docker build — Dockerfile:47
  The root Dockerfile fetches https://bun.sh/install and pipes it to bash in the build stage, so a compromised upstream script or delivery path could execute code in the build container and affect the produced image.
  Confidence: 0.97
• [medium] Docker docs repeat curl-pipe Bun installer guidance — docs/install/docker.md:352
  The public faster-rebuild example teaches the same unverified installer pattern, so users could copy the supply-chain risk even after the root Dockerfile is fixed.
  Confidence: 0.9

What I checked:

• Current Dockerfile still executes remote installer: Dockerfile:47 still runs curl --retry 5 --retry-all-errors --retry-delay 2 -fsSL https://bun.sh/install | bash, followed by /root/.bun/bin PATH setup at line 55. (Dockerfile:47, 76861364197f)
• Node base images are digest-pinned: The same root Dockerfile pins node:24-bookworm and node:24-bookworm-slim to SHA256 digests and documents the reproducible-build policy. (Dockerfile:15, 76861364197f)
• CI has a Bun version anchor: The shared setup action uses oven-sh/setup-bun@v2.2.0 with bun-version: "1.3.13", so any Docker fix should align with the current CI Bun version rather than the older version named in the original issue body. (.github/actions/setup-node-env/action.yml:48, 76861364197f)
• Docker docs repeat the unsafe copyable pattern: The public Docker faster-rebuild example still shows RUN curl -fsSL https://bun.sh/install | bash and the /root/.bun/bin PATH line. Public docs: docs/install/docker.md. (docs/install/docker.md:352, 76861364197f)
• Digest coverage does not check later installer stages: src/docker-image-digests.test.ts validates selected Dockerfiles' first FROM reference and Dependabot Docker config, but it does not catch a later build-stage remote installer. (src/docker-image-digests.test.ts:75, 76861364197f)
• Dependabot only tracks Docker image references it can see: The root Docker ecosystem entry is enabled weekly, but the current Bun install path is a remote script rather than a Docker image reference that can be pinned and refreshed there. (.github/dependabot.yml:117, 76861364197f)

Likely related people:

• steipete: Current-main blame in this checkout attributes the relevant Dockerfile, Docker docs, setup action, Dependabot Docker entry, and digest test snapshots to Peter Steinberger; prior ClawSweeper context also links steipete to recent Docker hardening work. (role: recent Dockerfile and Docker docs maintainer; confidence: high; commits: 2baa07f62be3, 8055e74485e2, 5759b93dda5d; files: Dockerfile, docs/install/docker.md, .github/actions/setup-node-env/action.yml)
• loukotal: Related PR context identifies fix: install Bun in Dockerfile #284 as the merged change that added Bun installation to the Dockerfile so Docker builds could run Bun-backed build scripts. (role: introduced Bun installer behavior; confidence: high; commits: c16510c6ea46; files: Dockerfile)
• coygeek: Related PR context identifies fix(docker): pin base images to SHA256 digests #7734 as the merged Docker SHA256 base-image pinning and Dependabot Docker update work that makes the current Bun installer inconsistency visible. (role: base-image digest pinning contributor; confidence: medium; commits: 352bb378007d; files: Dockerfile, .github/dependabot.yml, src/docker-image-digests.test.ts)

Remaining risk / open question:

• Maintainers still need to choose the approved Bun source and update policy, including whether oven/bun should be digest-pinned and refreshed by Dependabot.
• A Dockerfile-only fix would leave unsafe copyable guidance behind unless docs/install/docker.md is updated too.
• The fix should preserve the current multi-stage Docker build behavior and validate the root Docker smoke path.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 76861364197f.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still has the reported Docker supply-chain gap, and PR #74359 is already an open, unmerged implementation candidate with closing syntax for this issue, so the issue should remain open for maintainer security review rather than being closed or routed to a separate repair lane.

Required change / next step:

No separate ClawSweeper repair lane should be queued because PR #74359 is already an open implementation candidate for this issue, and the remaining decision is security-sensitive maintainer review of the exact Bun source, digest, and update policy.

Review details

Best possible solution:

Adopt a maintainer-approved Docker Bun install path that avoids executing an unverified remote installer, pins or verifies the Bun source, updates the Docker docs and any update policy in the same change, and validates the root Dockerfile smoke path before merge.

What I checked:

• Current Dockerfile still executes remote Bun installer: At current main, the build stage still retries curl --retry 5 --retry-all-errors --retry-delay 2 -fsSL https://bun.sh/install | bash, then prepends /root/.bun/bin to PATH. (Dockerfile:47, 8cf724a381a3)
• Node base images are digest pinned in the same Dockerfile: The same root Dockerfile pins node:24-bookworm and node:24-bookworm-slim to SHA256 digests and documents that base images are pinned for reproducible builds. (Dockerfile:15, 8cf724a381a3)
• CI pins Bun version separately: The shared setup action uses oven-sh/setup-bun@v2.2.0 with bun-version: "1.3.9", so the repository already has a fixed CI Bun version to align with. (.github/actions/setup-node-env/action.yml:48, 8cf724a381a3)
• Docker docs repeat the installer pattern: The Docker install docs' faster-rebuild example still shows RUN curl -fsSL https://bun.sh/install | bash plus /root/.bun/bin PATH guidance. Public docs: docs/install/docker.md. (docs/install/docker.md:364, 8cf724a381a3)
• Linked implementation PR is still the active path: Provided GitHub context shows PR fix(docker): replace curl|bash Bun install with pinned multi-stage COPY #74359 is open, unmerged, and uses closing syntax for this issue while replacing the Bun installer block with an oven/bun:1.3.9 multi-stage copy. (a19455297994)
• Related reports do not supersede this issue: Provided related context shows Security scan findings: remote script execution and credential-pattern hits #66684 is a broader static scan and Dockerfile: simplify multi-stage build #47660 is a Dockerfile simplification PR that removes SHA256 pinning, so neither is a better canonical replacement for this narrower Bun installer hardening request.

Likely related people:

• steipete: Current-main blame in this checkout attributes the relevant Dockerfile snapshot to Peter Steinberger, and the provided ClawSweeper context links steipete to recent Dockerfile digest-pinning and Docker hardening work. (role: recent Dockerfile maintainer and digest-pinning owner; confidence: high; commits: 8055e74485e2, 81551ac24b69, 5759b93dda5d; files: Dockerfile, docs/install/docker.md, .github/actions/setup-node-env/action.yml)
• loukotal: Provided prior ClawSweeper history context reports that commit c16510c added the Dockerfile Bun installer so Docker builds could run Bun-backed build scripts. (role: introduced Bun installer behavior; confidence: high; commits: c16510c6ea46; files: Dockerfile)
• vincentkoc: Provided prior ClawSweeper history context links vincentkoc to repeated Dockerfile and Docker documentation work, including runtime metadata, health probes, smoke optimization, and Docker docs updates. (role: adjacent Docker and Docker docs maintainer; confidence: medium; commits: 727927aae083, 66beff726ba9, 030565b18c44; files: Dockerfile, docs/install/docker.md)

Remaining risk / open question:

• The preferred Bun source and verification policy is still a maintainer security decision: digest-pinned oven/bun, verified binary download, or another approved source.
• A fix needs to preserve the current multi-arch Docker build behavior and Node-based runtime image while keeping Docker and CI Bun versions aligned.
• The public Docker docs currently repeat the installer pattern, so a Dockerfile-only fix could leave unsafe rebuild guidance behind.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8cf724a381a3.