From b30bf18535dbb93487f2c1f2c7642b8cf61560d1 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 16:46:35 -0300 Subject: [PATCH 01/13] 2ms: no dangling files --- Dockerfile | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2af19b5..1c909ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -157,11 +157,9 @@ RUN wget -qO - https://github.com/trufflesecurity/trufflehog/releases/download/v # Install 2ms -RUN mkdir 2ms \ - && cd 2ms \ - && wget https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip \ - && unzip linux-amd64.zip \ - && sudo ln -s /src/2ms/2ms /usr/local/bin/2ms +RUN wget -qO - https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip | \ + funzip - > /usr/local/bin/2ms \ + && chmod +x /usr/local/bin/2ms # Clean up RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* From 5a3ac491dfbc9ba808a8da10ff6f6115c5383ffb Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 16:49:32 -0300 Subject: [PATCH 02/13] tools: install Clair --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index 1c909ee..d606d1b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -161,6 +161,10 @@ RUN wget -qO - https://github.com/checkmarx/2ms/releases/latest/download/linux-a funzip - > /usr/local/bin/2ms \ && chmod +x /usr/local/bin/2ms +# Install clair +RUN wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/download/v4.7.4/clairctl-linux-$(dpkg --print-architecture) \ + && chmod +x /usr/local/bin/clair + # Clean up RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* From b79c62613d825fea75ead2364db644a6debf34c5 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 16:51:41 -0300 Subject: [PATCH 03/13] tools: install Snyk --- Dockerfile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Dockerfile b/Dockerfile index d606d1b..096b5cc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -165,6 +165,16 @@ RUN wget -qO - https://github.com/checkmarx/2ms/releases/latest/download/linux-a RUN wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/download/v4.7.4/clairctl-linux-$(dpkg --print-architecture) \ && chmod +x /usr/local/bin/clair +# Install snyk +RUN ARCH=$(dpkg --print-architecture) \ + && if [ "$ARCH" = "amd64" ]; then \ + wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux; \ + elif [ "$ARCH" = "arm64" ]; then \ + wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux-arm64; \ + fi \ + && chmod +x /usr/local/bin/snyk + + # Clean up RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* From a16e1707b8f96bd0ae8f2229262d6f3a482f9269 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 17:00:19 -0300 Subject: [PATCH 04/13] tools: install Grype --- Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 096b5cc..88b0be8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -174,6 +174,12 @@ RUN ARCH=$(dpkg --print-architecture) \ fi \ && chmod +x /usr/local/bin/snyk +# Install Grype +RUN ARCH=$(dpkg --print-architecture) \ + && wget -q https://github.com/anchore/grype/releases/download/v0.81.0/grype_0.81.0_linux_$ARCH.deb \ + && dpkg -i grype_0.81.0_linux_$ARCH.deb \ + && rm grype_0.81.0_linux_$ARCH.deb + # Clean up RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* From 1c69047298f54164c293fb68c5e9a656c506d566 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 17:02:30 -0300 Subject: [PATCH 05/13] nit: format --- Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 88b0be8..218c221 100644 --- a/Dockerfile +++ b/Dockerfile @@ -155,7 +155,6 @@ RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg -- RUN wget -qO - https://github.com/trufflesecurity/trufflehog/releases/download/v3.82.6/trufflehog_3.82.6_linux_$(dpkg --print-architecture).tar.gz | \ sudo tar -xzf - trufflehog -C /usr/local/bin - # Install 2ms RUN wget -qO - https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip | \ funzip - > /usr/local/bin/2ms \ @@ -180,7 +179,6 @@ RUN ARCH=$(dpkg --print-architecture) \ && dpkg -i grype_0.81.0_linux_$ARCH.deb \ && rm grype_0.81.0_linux_$ARCH.deb - # Clean up RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* From 82fd2108e7744cf0f95cd15aeb14f5165209b8f4 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 17:07:05 -0300 Subject: [PATCH 06/13] multi: sudo all over the place --- Dockerfile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 218c221..6bf717c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -157,26 +157,26 @@ RUN wget -qO - https://github.com/trufflesecurity/trufflehog/releases/download/v # Install 2ms RUN wget -qO - https://github.com/checkmarx/2ms/releases/latest/download/linux-amd64.zip | \ - funzip - > /usr/local/bin/2ms \ - && chmod +x /usr/local/bin/2ms + funzip - | sudo tee /usr/local/bin/2ms > /dev/null \ + && sudo chmod +x /usr/local/bin/2ms # Install clair -RUN wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/download/v4.7.4/clairctl-linux-$(dpkg --print-architecture) \ - && chmod +x /usr/local/bin/clair +RUN sudo wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/download/v4.7.4/clairctl-linux-$(dpkg --print-architecture) \ + && sudo chmod +x /usr/local/bin/clair # Install snyk RUN ARCH=$(dpkg --print-architecture) \ && if [ "$ARCH" = "amd64" ]; then \ - wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux; \ + sudo wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux; \ elif [ "$ARCH" = "arm64" ]; then \ - wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux-arm64; \ + sudo wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux-arm64; \ fi \ - && chmod +x /usr/local/bin/snyk + && sudo chmod +x /usr/local/bin/snyk # Install Grype RUN ARCH=$(dpkg --print-architecture) \ && wget -q https://github.com/anchore/grype/releases/download/v0.81.0/grype_0.81.0_linux_$ARCH.deb \ - && dpkg -i grype_0.81.0_linux_$ARCH.deb \ + && sudo dpkg -i grype_0.81.0_linux_$ARCH.deb \ && rm grype_0.81.0_linux_$ARCH.deb # Clean up From a5900c0288d767749d8fcaafb7e6172683b19ca7 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 17:09:22 -0300 Subject: [PATCH 07/13] ci: let's test on develop as well --- .github/workflows/test-tools.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test-tools.yml b/.github/workflows/test-tools.yml index 604d03d..de24713 100644 --- a/.github/workflows/test-tools.yml +++ b/.github/workflows/test-tools.yml @@ -4,11 +4,13 @@ on: push: branches: - main + - develop paths: - Dockerfile pull_request: branches: - main + - develop paths: - Dockerfile From 8b472363705b18a02abc0ba714ba9f8d1d71d5cb Mon Sep 17 00:00:00 2001 From: Nico Date: Thu, 3 Oct 2024 20:51:11 -0300 Subject: [PATCH 08/13] Update Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6bf717c..b8353f3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -174,7 +174,7 @@ RUN ARCH=$(dpkg --print-architecture) \ && sudo chmod +x /usr/local/bin/snyk # Install Grype -RUN ARCH=$(dpkg --print-architecture) \ +RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin && wget -q https://github.com/anchore/grype/releases/download/v0.81.0/grype_0.81.0_linux_$ARCH.deb \ && sudo dpkg -i grype_0.81.0_linux_$ARCH.deb \ && rm grype_0.81.0_linux_$ARCH.deb From f4f966c742e42fd9f2a1e4e2d973e389ecc8f985 Mon Sep 17 00:00:00 2001 From: Nico Date: Thu, 3 Oct 2024 20:51:16 -0300 Subject: [PATCH 09/13] Update Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b8353f3..acb67c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -175,7 +175,6 @@ RUN ARCH=$(dpkg --print-architecture) \ # Install Grype RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin - && wget -q https://github.com/anchore/grype/releases/download/v0.81.0/grype_0.81.0_linux_$ARCH.deb \ && sudo dpkg -i grype_0.81.0_linux_$ARCH.deb \ && rm grype_0.81.0_linux_$ARCH.deb From 5386d11387ceed05a8932482d352adaf08f41a86 Mon Sep 17 00:00:00 2001 From: Nico Date: Thu, 3 Oct 2024 20:51:22 -0300 Subject: [PATCH 10/13] Update Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index acb67c2..64c3f39 100644 --- a/Dockerfile +++ b/Dockerfile @@ -175,7 +175,6 @@ RUN ARCH=$(dpkg --print-architecture) \ # Install Grype RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin - && sudo dpkg -i grype_0.81.0_linux_$ARCH.deb \ && rm grype_0.81.0_linux_$ARCH.deb # Clean up From 0e693c93add625ab16d6a328037405e1133120b7 Mon Sep 17 00:00:00 2001 From: Nico Date: Thu, 3 Oct 2024 20:51:40 -0300 Subject: [PATCH 11/13] Update Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 64c3f39..52d8096 100644 --- a/Dockerfile +++ b/Dockerfile @@ -165,7 +165,7 @@ RUN sudo wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/do && sudo chmod +x /usr/local/bin/clair # Install snyk -RUN ARCH=$(dpkg --print-architecture) \ +RUN pnpm install -g snyk && if [ "$ARCH" = "amd64" ]; then \ sudo wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux; \ elif [ "$ARCH" = "arm64" ]; then \ From b44bde6542e328314725bd15737ca36fd7859d11 Mon Sep 17 00:00:00 2001 From: Nico Date: Thu, 3 Oct 2024 20:52:15 -0300 Subject: [PATCH 12/13] Update Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 52d8096..bb10697 100644 --- a/Dockerfile +++ b/Dockerfile @@ -175,7 +175,6 @@ RUN pnpm install -g snyk # Install Grype RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin - && rm grype_0.81.0_linux_$ARCH.deb # Clean up RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* From 32f6ac8e4b613c6f49c541601a424b7e16b0dd90 Mon Sep 17 00:00:00 2001 From: Nicolas Rey Date: Thu, 3 Oct 2024 20:54:49 -0300 Subject: [PATCH 13/13] dockerfile: remove unneeded script lines --- Dockerfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index bb10697..5d4fdee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -166,12 +166,6 @@ RUN sudo wget -qO /usr/local/bin/clair https://github.com/quay/clair/releases/do # Install snyk RUN pnpm install -g snyk - && if [ "$ARCH" = "amd64" ]; then \ - sudo wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux; \ - elif [ "$ARCH" = "arm64" ]; then \ - sudo wget -qO /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.1293.1/snyk-linux-arm64; \ - fi \ - && sudo chmod +x /usr/local/bin/snyk # Install Grype RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin