FROM golang:1.26-bookworm AS go-tools ARG GITLEAKS_VERSION=v8.30.1 ARG OSV_SCANNER_VERSION=v2.4.0 RUN go install github.com/zricethezav/gitleaks/v8@${GITLEAKS_VERSION} \ && go install github.com/google/osv-scanner/v2/cmd/osv-scanner@${OSV_SCANNER_VERSION} FROM python:3.12-bookworm ENV DEBIAN_FRONTEND=noninteractive \ PIP_DISABLE_PIP_VERSION_CHECK=1 \ PYTHONDONTWRITEBYTECODE=1 RUN apt-get update \ && apt-get install -y --no-install-recommends \ bash \ ca-certificates \ curl \ git \ gnupg \ jq \ && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \ && apt-get install -y --no-install-recommends nodejs \ && curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg \ && printf 'deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main\n' > /etc/apt/sources.list.d/trivy.list \ && apt-get update \ && apt-get install -y --no-install-recommends trivy \ && rm -rf /var/lib/apt/lists/* COPY --from=go-tools /go/bin/gitleaks /usr/local/bin/gitleaks COPY --from=go-tools /go/bin/osv-scanner /usr/local/bin/osv-scanner COPY requirements-audit.txt /tmp/requirements-audit.txt RUN python -m pip install --upgrade pip \ && python -m pip install --no-cache-dir -r /tmp/requirements-audit.txt \ && python -m pip install --no-cache-dir "semgrep>=1.140,<2" \ && python -m pip install --no-cache-dir --upgrade --no-deps "click>=8.3.3" \ && npm install -g jscpd \ && semgrep --version \ && bandit --version \ && ruff --version \ && gitleaks version \ && osv-scanner --version \ && trivy --version \ && jscpd --version RUN mkdir -p /workspace \ && chmod 0777 /workspace WORKDIR /workspace USER 65532:65532 HEALTHCHECK NONE CMD ["bash", "tools/checks/check-security-audit.sh", "--mode", "ci", "--scope", "current"]