diff --git a/.dockerignore b/.dockerignore index 28457e89087..74ee73966f1 100644 --- a/.dockerignore +++ b/.dockerignore @@ -13,7 +13,6 @@ examples cx.configuration docker-compose.yml Dockerfile -Dockerfile.alpine Dockerfile.debian mkdocs.yml sonar-project.properties diff --git a/.github/workflows/release-dkr-image-for-tag.yml b/.github/workflows/release-dkr-image-for-tag.yml index 750c597e96d..7362311b9be 100644 --- a/.github/workflows/release-dkr-image-for-tag.yml +++ b/.github/workflows/release-dkr-image-for-tag.yml @@ -58,24 +58,12 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Push scratch to Docker Hub - uses: docker/build-push-action@v2.6.1 - with: - context: . - push: true - tags: ${{ steps.prep.outputs.tags }} - build-args: | - VERSION=${{ github.event.inputs.tag }} - COMMIT=${{ github.sha }} - SENTRY_DSN=${{ secrets.SENTRY_DSN }} - name: Push alpine to Docker Hub - if: ${{ hashFiles('Dockerfile.alpine') }} != "" uses: docker/build-push-action@v2.6.1 with: context: . - file: ./Dockerfile.alpine push: true - tags: ${{ steps.prep.outputs.alpine_tags }} + tags: ${{ steps.prep.outputs.tags }},${{ steps.prep.outputs.alpine_tags }} build-args: | VERSION=${{ github.event.inputs.tag }} COMMIT=${{ github.sha }} diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml index 3be034437ca..f86f686158c 100644 --- a/.github/workflows/release-dkr-image.yml +++ b/.github/workflows/release-dkr-image.yml @@ -40,25 +40,13 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Push scratch to Docker Hub - uses: docker/build-push-action@v2.6.1 - id: build_scratch - with: - context: . - push: true - tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }} - build-args: | - VERSION=${{ steps.get-version.outputs.version }} - COMMIT=${{ github.sha }} - SENTRY_DSN=${{ secrets.SENTRY_DSN }} - name: Push alpine to Docker Hub uses: docker/build-push-action@v2.6.1 id: build_alpine with: context: . - file: ./Dockerfile.alpine push: true - tags: checkmarx/kics:latest-alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine + tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }},checkmarx/kics:latest-alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine build-args: | VERSION=${{ steps.get-version.outputs.version }} COMMIT=${{ github.sha }} @@ -87,7 +75,7 @@ jobs: run: | VERSION=${{ steps.get-version.outputs.version }} - DIGEST=${{ steps.build_scratch.outputs.digest }} + DIGEST=${{ steps.build_alpine.outputs.digest }} ALPINE_DIGEST=${{ steps.build_alpine.outputs.digest }} DEBIAN_DIGEST=${{ steps.build_debian.outputs.digest }} diff --git a/Dockerfile b/Dockerfile index 75340337b1c..e1a9e76ff36 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,7 @@ FROM golang:1.16-alpine as build_env - # Create a group and user RUN addgroup -S Checkmarx && adduser -S Checkmarx -G Checkmarx USER Checkmarx - # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app @@ -11,62 +9,40 @@ ENV GOPRIVATE=github.com/Checkmarx/* ARG VERSION="development" ARG COMMIT="NOCOMMIT" ARG SENTRY_DSN="" - #Copy go mod and sum files COPY --chown=Checkmarx:Checkmarx go.mod . COPY --chown=Checkmarx:Checkmarx go.sum . - # Get dependancies - will also be cached if we won't change mod/sum -RUN go mod download - +RUN go mod download -x # COPY the source code as the last step COPY . . - USER root - -# Install git -RUN apk add --no-cache \ - git=2.32.0-r0 - # Build the Go app RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ - -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN}" \ - -a -installsuffix cgo \ - -o bin/kics cmd/console/main.go + -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN}" -a -installsuffix cgo \ + -o bin/kics cmd/console/main.go USER Checkmarx - #Healthcheck the container HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt - #runtime image -FROM scratch +FROM alpine:3.14.0 + +RUN addgroup -S Checkmarx && adduser -S Checkmarx -G Checkmarx +USER root +# Install Git +RUN apk add --no-cache \ + git=2.32.0-r0 -# Copy git execution folders COPY --from=build_env /app/bin/kics /app/bin/kics -COPY --from=build_env /app/assets /app/bin/assets -COPY --from=build_env /lib/ /lib/ -COPY --from=build_env /usr/lib/ /usr/lib/ -COPY --from=build_env /usr/libexec/git-core /usr/libexec/git-core -COPY --from=build_env /usr/sbin/update-ca-certificates /usr/sbin/update-ca-certificates -COPY --from=build_env /usr/share/git-core /usr/share/git-core -COPY --from=build_env /usr/share/ca-certificates /usr/share/ca-certificates -COPY --from=build_env /usr/bin/c_rehash /usr/bin/c_rehash -COPY --from=build_env /usr/bin/git /usr/bin/git -COPY --from=build_env /usr/bin/git-receive-pack /usr/bin/git-receive-pack -COPY --from=build_env /usr/bin/git-shell /usr/bin/git-shell -COPY --from=build_env /usr/bin/git-upload-archive /usr/bin/git-upload-archive -COPY --from=build_env /usr/bin/git-upload-pack /usr/bin/git-upload-pack -COPY --from=build_env /etc/ca-certificates.conf /etc/ca-certificates.conf -COPY --from=build_env /etc/ca-certificates/update.d/certhash /etc/ca-certificates/update.d/certhash -COPY --from=build_env /etc/apk/protected_paths.d/ca-certificates.list /etc/apk/protected_paths.d/ca-certificates.list -COPY --from=build_env /etc/ssl/certs /etc/ssl/certs -COPY --from=build_env /bin /bin +COPY --from=build_env /app/assets/ /app/bin/assets/ WORKDIR /app/bin -#Healthcheck the container +# Healthcheck the container HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt - +ENV PATH $PATH:/app/bin # Command to run the executable +USER Checkmarx + ENTRYPOINT ["/app/bin/kics"] diff --git a/Dockerfile.alpine b/Dockerfile.alpine deleted file mode 100644 index e1a9e76ff36..00000000000 --- a/Dockerfile.alpine +++ /dev/null @@ -1,48 +0,0 @@ -FROM golang:1.16-alpine as build_env -# Create a group and user -RUN addgroup -S Checkmarx && adduser -S Checkmarx -G Checkmarx -USER Checkmarx -# Copy the source from the current directory to the Working Directory inside the container -WORKDIR /app - -ENV GOPRIVATE=github.com/Checkmarx/* -ARG VERSION="development" -ARG COMMIT="NOCOMMIT" -ARG SENTRY_DSN="" -#Copy go mod and sum files -COPY --chown=Checkmarx:Checkmarx go.mod . -COPY --chown=Checkmarx:Checkmarx go.sum . -# Get dependancies - will also be cached if we won't change mod/sum -RUN go mod download -x -# COPY the source code as the last step -COPY . . -USER root -# Build the Go app -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ - -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN}" -a -installsuffix cgo \ - -o bin/kics cmd/console/main.go -USER Checkmarx -#Healthcheck the container -HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt -#runtime image -FROM alpine:3.14.0 - -RUN addgroup -S Checkmarx && adduser -S Checkmarx -G Checkmarx - -USER root -# Install Git -RUN apk add --no-cache \ - git=2.32.0-r0 - -COPY --from=build_env /app/bin/kics /app/bin/kics -COPY --from=build_env /app/assets/ /app/bin/assets/ - -WORKDIR /app/bin - -# Healthcheck the container -HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt -ENV PATH $PATH:/app/bin -# Command to run the executable -USER Checkmarx - -ENTRYPOINT ["/app/bin/kics"]