Files
govoplan/tools/checks/security-audit/Dockerfile

55 lines
1.7 KiB
Docker

FROM golang:1.26-bookworm AS go-tools
ARG GITLEAKS_VERSION=v8.30.1
ARG OSV_SCANNER_VERSION=v2.4.0
RUN go install github.com/zricethezav/gitleaks/v8@${GITLEAKS_VERSION} \
&& go install github.com/google/osv-scanner/v2/cmd/osv-scanner@${OSV_SCANNER_VERSION}
FROM python:3.12-bookworm
ENV DEBIAN_FRONTEND=noninteractive \
PIP_DISABLE_PIP_VERSION_CHECK=1 \
PYTHONDONTWRITEBYTECODE=1
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash \
ca-certificates \
curl \
git \
gnupg \
jq \
&& curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
&& apt-get install -y --no-install-recommends nodejs \
&& curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg \
&& printf 'deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main\n' > /etc/apt/sources.list.d/trivy.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends trivy \
&& rm -rf /var/lib/apt/lists/*
COPY --from=go-tools /go/bin/gitleaks /usr/local/bin/gitleaks
COPY --from=go-tools /go/bin/osv-scanner /usr/local/bin/osv-scanner
COPY requirements-audit.txt /tmp/requirements-audit.txt
RUN python -m pip install --upgrade pip \
&& python -m pip install --no-cache-dir -r /tmp/requirements-audit.txt \
&& npm install -g jscpd \
&& semgrep --version \
&& bandit --version \
&& ruff --version \
&& gitleaks version \
&& osv-scanner --version \
&& trivy --version \
&& jscpd --version
RUN mkdir -p /workspace \
&& chmod 0777 /workspace
WORKDIR /workspace
USER 65532:65532
HEALTHCHECK NONE
CMD ["bash", "tools/checks/check-security-audit.sh", "--mode", "ci", "--scope", "current"]