Fix anchore scan for pull requests #53
Conversation
|
Hi Leonard,
I know the PR is not the best place to try to make a contact however I couldn't send you a request via LinkedIn (https://www.linkedin.com/in/yevhen-zavhorodnii-40773132/) because we don't have common connections and couldn't find alternative way to connect. Could you please suggest the best way to contact you? I'm not officially a maintainer of the project however I am personally as well as my company is very interested in it and chatting now with an author and other contributors about the way to maintain/contribute. |
| # RUN mkdir -p /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 | ||
| # clean apk cache | ||
| RUN rm -rf /var/cache/apk/* | ||
| RUN apk add --no-cache \ |
There was a problem hiding this comment.
It would be nice to know the context why adding libc6-compat (RUN apk add libc6-compat) was removed. As far as I can see that was a workaround, is adding everything withing one RUN apk add fixing the problem and how?
There was a problem hiding this comment.
I changed the building step to run in golang:alpine instead of the default golang (which is based on Debian). Because of this we do not need libc6-compat as a compatibility layer for glibc anymore.
| ENV PATH=/app:$PATH | ||
| ENV GIN_MODE=release | ||
| # Add non-privileged user for running threagile | ||
| RUN adduser \ |
There was a problem hiding this comment.
Kudos for adding best security practices for the project which is about improving security ;)
|
@ ldallmayr I merged your changes into my fork so they are part of pr #57. thank you for your contribution |
|
this pr has been resolved with #57 |
Currently, running the anchore scan on pull requests does not scan the changed files from the pull request. Instead it uses the
Dockerfile, where the main repo https://github.com/Threagile/threagile.git is being cloned.In order to properly scan the pull request I refactored
Dockerfile.localand used it in the github action. Now the actual changes from the pull request are considered in the scan.One possibly controversial change is the option
fail-build: falsein.github/workflows/anchore-analysis.yml. This allows the build to succeed while still reporting the found vulnerabilities in the Security tab.For example, currently there are vulnerabilities in alpine linux that do not have a fix available. Most of the time this cannot be avoided.
Generally I would recommend only having one Dockerfile and removing the docker-build-*.sh files or moving them to a non-default branch. If someone wants to build from the master branch, simply using
git stash --include-untrackedandgit checkout mastershould be enough to build the main container file.I would recommend versioning and automatically pushing the image to Dockerhub instead though. If the maintainers are interested in this I could help setting that up.