-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0371a1b
commit 1921aa2
Showing
5 changed files
with
18 additions
and
115 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -58,24 +58,12 @@ jobs: | |
| with: | ||
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| - name: Push scratch to Docker Hub | ||
| uses: docker/[email protected] | ||
| with: | ||
| context: . | ||
| push: true | ||
| tags: ${{ steps.prep.outputs.tags }} | ||
| build-args: | | ||
| VERSION=${{ github.event.inputs.tag }} | ||
| COMMIT=${{ github.sha }} | ||
| SENTRY_DSN=${{ secrets.SENTRY_DSN }} | ||
| - name: Push alpine to Docker Hub | ||
| if: ${{ hashFiles('Dockerfile.alpine') }} != "" | ||
| uses: docker/[email protected] | ||
| with: | ||
| context: . | ||
| file: ./Dockerfile.alpine | ||
| push: true | ||
| tags: ${{ steps.prep.outputs.alpine_tags }} | ||
| tags: ${{ steps.prep.outputs.tags }},${{ steps.prep.outputs.alpine_tags }} | ||
| build-args: | | ||
| VERSION=${{ github.event.inputs.tag }} | ||
| COMMIT=${{ github.sha }} | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -40,25 +40,13 @@ jobs: | |
| with: | ||
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| - name: Push scratch to Docker Hub | ||
| uses: docker/[email protected] | ||
| id: build_scratch | ||
| with: | ||
| context: . | ||
| push: true | ||
| tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }} | ||
| build-args: | | ||
| VERSION=${{ steps.get-version.outputs.version }} | ||
| COMMIT=${{ github.sha }} | ||
| SENTRY_DSN=${{ secrets.SENTRY_DSN }} | ||
| - name: Push alpine to Docker Hub | ||
| uses: docker/[email protected] | ||
| id: build_alpine | ||
| with: | ||
| context: . | ||
| file: ./Dockerfile.alpine | ||
| push: true | ||
| tags: checkmarx/kics:latest-alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine | ||
| tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }},checkmarx/kics:latest-alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine | ||
| build-args: | | ||
| VERSION=${{ steps.get-version.outputs.version }} | ||
| COMMIT=${{ github.sha }} | ||
|
|
@@ -87,7 +75,7 @@ jobs: | |
| run: | | ||
| VERSION=${{ steps.get-version.outputs.version }} | ||
| DIGEST=${{ steps.build_scratch.outputs.digest }} | ||
| DIGEST=${{ steps.build_alpine.outputs.digest }} | ||
| ALPINE_DIGEST=${{ steps.build_alpine.outputs.digest }} | ||
| DEBIAN_DIGEST=${{ steps.build_debian.outputs.digest }} | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,72 +1,48 @@ | ||
| FROM golang:1.16-alpine as build_env | ||
|
|
||
| # Create a group and user | ||
| RUN addgroup -S Checkmarx && adduser -S Checkmarx -G Checkmarx | ||
| USER Checkmarx | ||
|
|
||
| # Copy the source from the current directory to the Working Directory inside the container | ||
| WORKDIR /app | ||
|
|
||
| ENV GOPRIVATE=github.com/Checkmarx/* | ||
| ARG VERSION="development" | ||
| ARG COMMIT="NOCOMMIT" | ||
| ARG SENTRY_DSN="" | ||
|
|
||
| #Copy go mod and sum files | ||
| COPY --chown=Checkmarx:Checkmarx go.mod . | ||
| COPY --chown=Checkmarx:Checkmarx go.sum . | ||
|
|
||
| # Get dependancies - will also be cached if we won't change mod/sum | ||
| RUN go mod download | ||
|
|
||
| RUN go mod download -x | ||
| # COPY the source code as the last step | ||
| COPY . . | ||
|
|
||
| USER root | ||
|
|
||
| # Install git | ||
| RUN apk add --no-cache \ | ||
| git=2.32.0-r0 | ||
|
|
||
| # Build the Go app | ||
| RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ | ||
| -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN}" \ | ||
| -a -installsuffix cgo \ | ||
| -o bin/kics cmd/console/main.go | ||
| -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN}" -a -installsuffix cgo \ | ||
| -o bin/kics cmd/console/main.go | ||
| USER Checkmarx | ||
|
|
||
| #Healthcheck the container | ||
| HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt | ||
|
|
||
| #runtime image | ||
| FROM scratch | ||
| FROM alpine:3.14.0 | ||
|
|
||
| RUN addgroup -S Checkmarx && adduser -S Checkmarx -G Checkmarx | ||
|
|
||
| USER root | ||
| # Install Git | ||
| RUN apk add --no-cache \ | ||
| git=2.32.0-r0 | ||
|
|
||
| # Copy git execution folders | ||
| COPY --from=build_env /app/bin/kics /app/bin/kics | ||
| COPY --from=build_env /app/assets /app/bin/assets | ||
| COPY --from=build_env /lib/ /lib/ | ||
| COPY --from=build_env /usr/lib/ /usr/lib/ | ||
| COPY --from=build_env /usr/libexec/git-core /usr/libexec/git-core | ||
| COPY --from=build_env /usr/sbin/update-ca-certificates /usr/sbin/update-ca-certificates | ||
| COPY --from=build_env /usr/share/git-core /usr/share/git-core | ||
| COPY --from=build_env /usr/share/ca-certificates /usr/share/ca-certificates | ||
| COPY --from=build_env /usr/bin/c_rehash /usr/bin/c_rehash | ||
| COPY --from=build_env /usr/bin/git /usr/bin/git | ||
| COPY --from=build_env /usr/bin/git-receive-pack /usr/bin/git-receive-pack | ||
| COPY --from=build_env /usr/bin/git-shell /usr/bin/git-shell | ||
| COPY --from=build_env /usr/bin/git-upload-archive /usr/bin/git-upload-archive | ||
| COPY --from=build_env /usr/bin/git-upload-pack /usr/bin/git-upload-pack | ||
| COPY --from=build_env /etc/ca-certificates.conf /etc/ca-certificates.conf | ||
| COPY --from=build_env /etc/ca-certificates/update.d/certhash /etc/ca-certificates/update.d/certhash | ||
| COPY --from=build_env /etc/apk/protected_paths.d/ca-certificates.list /etc/apk/protected_paths.d/ca-certificates.list | ||
| COPY --from=build_env /etc/ssl/certs /etc/ssl/certs | ||
| COPY --from=build_env /bin /bin | ||
| COPY --from=build_env /app/assets/ /app/bin/assets/ | ||
|
|
||
| WORKDIR /app/bin | ||
|
|
||
| #Healthcheck the container | ||
| # Healthcheck the container | ||
| HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt | ||
|
|
||
| ENV PATH $PATH:/app/bin | ||
| # Command to run the executable | ||
| USER Checkmarx | ||
|
|
||
| ENTRYPOINT ["/app/bin/kics"] |
This file was deleted.
Oops, something went wrong.