fix: hack/api-docs/requirements.txt to reduce vulnerabilities (#3036)

The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-6150717
- https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151
- https://snyk.io/vuln/SNYK-PYTHON-TORNADO-5537286
- https://snyk.io/vuln/SNYK-PYTHON-TORNADO-5840803
- https://snyk.io/vuln/SNYK-PYTHON-TORNADO-6041512

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: snyk-bot <snyk-bot@snyk.io>

.github/dependabot.yml

@@ -10,3 +10,18 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: docker
+    directory: /e2e
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /hack/api-docs
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: pip
+    directory: /hack/api-docs
+    schedule:
+      interval: weekly

Dockerfile.standalone

@@ -1,6 +1,6 @@
 # This version of Dockerfile is for building without external dependencies.
 # Build a multi-platform image e.g. `docker buildx build --push --platform linux/arm64,linux/amd64 --tag external-secrets:dev --file Dockerfile.standalone .`
-FROM golang:1.21.6-alpine AS builder
+FROM golang:1.21.6-alpine@sha256:fd78f2fb1e49bcf343079bbbb851c936a18fc694df993cbddaa24ace0cc724c5 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ENV CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH}
@@ -12,7 +12,7 @@ COPY . /app/
 RUN go build -o external-secrets main.go
 
 
-FROM gcr.io/distroless/static AS app
+FROM gcr.io/distroless/static@sha256:9be3fcc6abeaf985b5ecce59451acbcbb15e7be39472320c538d0d55a0834edc AS app
 COPY --from=builder /app/external-secrets /bin/external-secrets
 
 # Run as UID for nobody

e2e/Dockerfile

@@ -1,5 +1,4 @@
-ARG GO_VERSION=1.21
+FROM golang:1.21.6-bookworm@sha256:04cf306d01a03309934b49ac4b9f487abb8a054b71141fa53df6df482ab7d7eb as builder
-FROM golang:$GO_VERSION-bookworm as builder
 
 ENV KUBECTL_VERSION="v1.28.3"
 ENV HELM_VERSION="v3.13.1"

hack/api-docs/requirements.txt

@@ -9,7 +9,7 @@ htmlmin==0.1.12
 idna==3.6
 importlib-metadata==7.0.1
 importlib-resources==6.1.1
-Jinja2==3.1.2
+Jinja2==3.1.3
 jsmin==3.0.1
 livereload==2.6.3
 Markdown==3.5.2
@@ -29,13 +29,13 @@ platformdirs==4.1.0
 Pygments==2.17.2
 pymdown-extensions==10.7
 python-dateutil==2.8.2
-PyYAML==5.3.1
+PyYAML==6.0.1
 pyyaml_env_tag==0.1
 regex==2023.12.25
 requests==2.31.0
 six==1.16.0
 termcolor==2.4.0
-tornado==6.1
+tornado==6.3.3
 urllib3==2.1.0
 verspec==0.1.0
 watchdog==3.0.0

tilt.debug.dockerfile

@@ -2,7 +2,7 @@ FROM golang:1.21.6@sha256:6fbd2d3398db924f8d708cf6e94bd3a436bb468195daa6a96e8050
 WORKDIR /
 COPY ./bin/external-secrets /external-secrets
 
-RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.22.0
 RUN chmod +x /go/bin/dlv
 RUN mv /go/bin/dlv /