57 lines
1.9 KiB
Docker
57 lines
1.9 KiB
Docker
FROM golang:1.26-bookworm AS go-tools
|
|
|
|
ARG GITLEAKS_VERSION=v8.30.1
|
|
ARG OSV_SCANNER_VERSION=v2.4.0
|
|
|
|
RUN go install github.com/zricethezav/gitleaks/v8@${GITLEAKS_VERSION} \
|
|
&& go install github.com/google/osv-scanner/v2/cmd/osv-scanner@${OSV_SCANNER_VERSION}
|
|
|
|
FROM python:3.12-bookworm
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive \
|
|
PIP_DISABLE_PIP_VERSION_CHECK=1 \
|
|
PYTHONDONTWRITEBYTECODE=1
|
|
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
bash \
|
|
ca-certificates \
|
|
curl \
|
|
git \
|
|
gnupg \
|
|
jq \
|
|
&& curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
|
|
&& apt-get install -y --no-install-recommends nodejs \
|
|
&& curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg \
|
|
&& printf 'deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main\n' > /etc/apt/sources.list.d/trivy.list \
|
|
&& apt-get update \
|
|
&& apt-get install -y --no-install-recommends trivy \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
COPY --from=go-tools /go/bin/gitleaks /usr/local/bin/gitleaks
|
|
COPY --from=go-tools /go/bin/osv-scanner /usr/local/bin/osv-scanner
|
|
COPY requirements-audit.txt /tmp/requirements-audit.txt
|
|
|
|
RUN python -m pip install --upgrade pip \
|
|
&& python -m pip install --no-cache-dir -r /tmp/requirements-audit.txt \
|
|
&& python -m pip install --no-cache-dir "semgrep>=1.140,<2" \
|
|
&& python -m pip install --no-cache-dir --upgrade --no-deps "click>=8.3.3" \
|
|
&& npm install -g jscpd \
|
|
&& semgrep --version \
|
|
&& bandit --version \
|
|
&& ruff --version \
|
|
&& gitleaks version \
|
|
&& osv-scanner --version \
|
|
&& trivy --version \
|
|
&& jscpd --version
|
|
|
|
RUN mkdir -p /workspace \
|
|
&& chmod 0777 /workspace
|
|
|
|
WORKDIR /workspace
|
|
|
|
USER 65532:65532
|
|
HEALTHCHECK NONE
|
|
|
|
CMD ["bash", "tools/checks/check-security-audit.sh", "--mode", "ci", "--scope", "current"]
|