manually merged pull request Threagile#53

joreiche · Feb 2, 2024 · eda8518 · eda8518
1 parent f03ea81
commit eda8518
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 37 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,4 +1,9 @@
 **/.git
 **/.gitignore
 **/.DS_Store
-**/*.tmp
+**/*.tmp
+
+.github
+.dockerignore
+Dockerfile
+Dockerfile.*
diff --git a/.github/workflows/anchore-analysis.yml b/.github/workflows/anchore-analysis.yml
@@ -21,13 +21,23 @@ jobs:
   Anchore-Build-Scan:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout the code
-      uses: actions/checkout@v4
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile.local --tag localbuild/testimage:latest
-    - name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
-      uses: anchore/scan-action@v3
-    - name: Upload Anchore Scan Report
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: results.sarif
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build the Docker image
+        uses: docker/build-push-action@v5
+        with:
+          tags: localbuild/threagile:latest
+          file: Dockerfile.local
+          push: false
+          load: true
+
+      - name: Scan image
+        uses: anchore/scan-action@v3
+        with:
+          image: "localbuild/threagile:latest"
+
+      - name: Upload Anchore Scan Report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/Dockerfile.local b/Dockerfile.local
@@ -1,47 +1,41 @@
-# Used for local manual test builds
+# Used for local manual test builds as well as Anchore scans in github workflow
 
 ######
-## Stage 1: Clone the Git repository
+## Stage 1: Build application with Go's build tools
 ######
-FROM alpine/git as clone
+FROM docker.io/library/golang:alpine as build
 WORKDIR /app
 
-COPY . /app/threagile
+# Add build dependencies (gcc, c stdlib)
+RUN apk add --no-cache build-base
+COPY go.mod go.sum ./
 
+RUN go mod download
+COPY . .
 
-
-
-######
-## Stage 2: Build application with Go's build tools
-######
-FROM golang as build
-WORKDIR /app
-
+# Set build-time variables
+ARG GOOS=linux
 ENV GO111MODULE=on
 
-# https://stackoverflow.com/questions/36279253/go-compiled-binary-wont-run-in-an-alpine-docker-container-on-ubuntu-host
-#ENV CGO_ENABLED=0 # cannot be set as otherwise plugins don't run
-COPY --from=clone /app/threagile /app
-
 RUN go version
 RUN go test ./...
-RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_calc cmd/raa/main.go
-RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_dummy cmd/raa_dummy/main.go
-RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o risk_demo_rule cmd/risk_demo/main.go
-RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile cmd/threagile/main.go
+
+RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_calc cmd/raa/main.go
+RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_dummy cmd/raa_dummy/main.go
+RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o risk_demo_rule cmd/risk_demo/main.go
+RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile cmd/threagile/main.go
+
 # add the -race parameter to go build call in order to instrument with race condition detector: https://blog.golang.org/race-detector
 # NOTE: copy files with final name to send to final build
+
 RUN cp /app/demo/example/threagile.yaml /app/demo/example/threagile-example-model.yaml
 RUN cp /app/demo/stub/threagile.yaml /app/demo/stub/threagile-stub-model.yaml
 
 
-
-
 ######
-## Stage 3: Make final small image
+## Stage 2: Make final small image
 ######
-FROM alpine as deploy
-WORKDIR /app
+FROM docker.io/library/alpine:latest as deploy
 
 # label used in other scripts to filter
 LABEL type="threagile"
@@ -56,6 +50,10 @@ RUN apk add libc6-compat
 # RUN mkdir -p /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
 # clean apk cache
 RUN rm -rf /var/cache/apk/*
+# add non-privileged user
+RUN adduser --disabled-password --gecos "" --home "$(pwd)" --no-create-home threagile
+
+WORKDIR /app
 
 RUN mkdir -p /app /data
 RUN chown -R 1000:1000 /app /data
@@ -73,7 +71,7 @@ COPY --from=build --chown=1000:1000 /app/demo/example/threagile-example-model.ya
 COPY --from=build --chown=1000:1000 /app/demo/stub/threagile-stub-model.yaml /app/
 COPY --from=build --chown=1000:1000 /app/server /app/server
 
-USER 1000:1000
+USER threagile
 
 ENV PATH=/app:$PATH GIN_MODE=release