fix: upgrade docker base image to 29.3.0-dind to remediate CVE-2025-15558

[vinayakharness2026]

Vulnerability Remediation: plugins/buildx

Ticket: CI-21415
Test image scanned: vinayakharness/buildx-test:buildx-1.3.16--debug
Baseline scan (original image): plugins/buildx:1.3.15
After scan (test image): vinayakharness/buildx-test:buildx-1.3.16--debug

---

Vulnerability Delta — Trivy (local scan)

Trivy and OnDemand use different CVE databases and may flag different issues. Both are shown for completeness.

Severity	Before (1.3.15)	After (test build)	Change
Critical	14	9	-5
High	79	7	-72
Medium	235	27	-208
Low	20	12	-8
Total	348	55	-293

---

Vulnerability Delta — Harness OnDemand Scanner (Prisma Cloud)

Severity	Before (1.3.15)	After (test build)	Change
Critical	3	2	-1
High	17	5	-12
Medium	15	2	-13
Low	4	1	-3
Info	12	8	-4
Total	51	18	-33

---

Per-Ticket CVE Status

CI-21415 — High: github.com/docker/cli CVE in plugins/buildx:1.3.15

Summary: CVE-2025-15558 was present in two locations in the original image — the bundled docker/buildx binary (v0.23.0, shipping docker/cli v28.0.4) and the base image's docker CLI and docker-compose binaries (docker:28.1.1-dind, shipping docker/cli v28.1.1). Both are below the required fix version of v29.2.0. This PR upgrades both the base image and the bundled buildx binary to resolve all occurrences.

CVE	Package	Before	After	Required	Status	Reason
CVE-2025-15558	github.com/docker/cli	v28.0.4 (buildx binary), v28.1.1 (base image)	not present	>= 29.2.0	✅ Resolved	buildx upgraded to v0.32.1 (ships docker/cli v29.2.1); base image upgraded to docker:29.2.0-dind

Note on CVE scope: CVE-2025-15558 is a Windows-only privilege escalation issue (uncontrolled plugin search path at C:\ProgramData\Docker\cli-plugins). It does not affect Linux containers. The fix is applied here to clear the scanner finding and stay current with upstream.

Code changes for this ticket:

docker/docker/Dockerfile.linux.amd64:

• FROM docker:28.1.1-dind → FROM docker:29.2.0-dind
• BUILDX_URL → v0.32.1 (was v0.23.0)

docker/docker/Dockerfile.linux.arm64:

• FROM arm64v8/docker:28.1.1-dind → FROM arm64v8/docker:29.2.0-dind
• BUILDX_URL → v0.32.1 (was v0.23.0)

---

Changes Made

File	Change
docker/docker/Dockerfile.linux.amd64	Base image: docker:28.1.1-dind → docker:29.2.0-dind; buildx binary: v0.23.0 → v0.32.1
docker/docker/Dockerfile.linux.arm64	Base image: arm64v8/docker:28.1.1-dind → arm64v8/docker:29.2.0-dind; buildx binary: v0.23.0 → v0.32.1

Version selection rationale:

• docker:29.2.0-dind is the minimum base image version that ships docker/cli >= v29.2.0. It is the smallest bump that satisfies the fix requirement.
• docker/buildx v0.32.1 is the minimum buildx release that ships docker/cli >= v29.2.0 (it ships v29.2.1). Every release from v0.24.0 through v0.31.1 shipped docker/cli versions in the 28.x range.

---

Warning

Major version upgrade included — sanity testing required

The base image was upgraded across a major version boundary:

• docker:28.1.1-dind → docker:29.2.0-dind (major: 28 → 29)
• arm64v8/docker:28.1.1-dind → arm64v8/docker:29.2.0-dind (major: 28 → 29)

Before merging, please:

• Deploy the new image to a QA or staging environment
• Run the full CI pipeline sanity suite against it
• Verify Docker-in-Docker behaviour (buildx builds, caching, push/pull) is unchanged
• Check the Docker 29.x changelog for any breaking changes relevant to this plugin