From b328cbe59b062657627f7fb545204f0d692c6b34 Mon Sep 17 00:00:00 2001
From: Dhrumil Mistry <56185972+dmdhrumilmistry@users.noreply.github.com>
Date: Sat, 6 Apr 2024 23:35:01 +0530
Subject: [PATCH] update dockerfiles

use wolfi as base container image

fix CVEs in docker images
---
 .github/workflows/dev-push.yml        | 13 +++---
 .github/workflows/release-push.yml    | 37 ++++++++++++++++-
 src/DockerFiles/wolfi-base-Dockerfile | 59 +++++++++++++++++++++++++++
 src/Makefile                          | 12 +++++-
 4 files changed, 112 insertions(+), 9 deletions(-)
 create mode 100644 src/DockerFiles/wolfi-base-Dockerfile

diff --git a/.github/workflows/dev-push.yml b/.github/workflows/dev-push.yml
index 793313a..aaf1951 100644
--- a/.github/workflows/dev-push.yml
+++ b/.github/workflows/dev-push.yml
@@ -1,8 +1,9 @@
-name: "Dev Release: Build and Push OWASP OFFAT Docker Images to DockerHub"
+name: "Build and Push Dev/main OWASP OFFAT Docker Images to DockerHub"
 
 on:
   push:
     branches:
+      - "main"
       - "dev"
 
 jobs:
@@ -24,9 +25,9 @@ jobs:
         uses: docker/build-push-action@v3
         with:
           context: ./src/
-          file: ./src/DockerFiles/base-Dockerfile
+          file: ./src/DockerFiles/wolfi-base-Dockerfile
           push: true
-          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:dev
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:${{ github.head_ref || github.ref_name }}
           platforms: linux/amd64,linux/arm64
       - name: Build and push offat docker image
         uses: docker/build-push-action@v3
@@ -34,7 +35,7 @@ jobs:
           context: ./src/
           file: ./src/DockerFiles/dev/cli-Dockerfile
           push: true
-          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat:dev
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat:${{ github.head_ref || github.ref_name }}
           platforms: linux/amd64,linux/arm64
       - name: Build and push offat-api docker image
         uses: docker/build-push-action@v3
@@ -42,7 +43,7 @@ jobs:
           context: ./src/
           file: ./src/DockerFiles/dev/backend-api-Dockerfile
           push: true
-          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api:dev
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api:${{ github.head_ref || github.ref_name }}
           platforms: linux/amd64,linux/arm64
       - name: Build and push offat-api-worker docker image
         uses: docker/build-push-action@v3
@@ -50,5 +51,5 @@ jobs:
           context: ./src/
           file: ./src/DockerFiles/dev/backend-api-worker-Dockerfile
           push: true
-          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api-worker:dev
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api-worker:${{ github.head_ref || github.ref_name }}
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/release-push.yml b/.github/workflows/release-push.yml
index 9f8d1a7..c7bd369 100644
--- a/.github/workflows/release-push.yml
+++ b/.github/workflows/release-push.yml
@@ -19,11 +19,46 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      # Build and publish version tag image
       - name: Build and push offat-base docker image
         uses: docker/build-push-action@v3
         with:
           context: ./src/
-          file: ./src/DockerFiles/base-Dockerfile
+          file: ./src/DockerFiles/wolfi-base-Dockerfile
+          push: true
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:${{ github.event.release.tag_name }}
+          platforms: linux/amd64,linux/arm64
+      - name: Build and push offat docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: ./src/
+          file: ./src/DockerFiles/main/cli-Dockerfile
+          push: true
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat:${{ github.event.release.tag_name }}
+          platforms: linux/amd64,linux/arm64
+      - name: Build and push offat-api docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: ./src/
+          file: ./src/DockerFiles/main/backend-api-Dockerfile
+          push: true
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api:${{ github.event.release.tag_name }}
+          platforms: linux/amd64,linux/arm64
+      - name: Build and push offat-api-worker docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: ./src/
+          file: ./src/DockerFiles/main/backend-api-worker-Dockerfile
+          push: true
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api-worker:${{ github.event.release.tag_name }}
+          platforms: linux/amd64,linux/arm64
+
+      # Build and publish latest tag image
+      - name: Build and push offat-base docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: ./src/
+          file: ./src/DockerFiles/wolfi-base-Dockerfile
           push: true
           tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:latest
           platforms: linux/amd64,linux/arm64
diff --git a/src/DockerFiles/wolfi-base-Dockerfile b/src/DockerFiles/wolfi-base-Dockerfile
new file mode 100644
index 0000000..442b7c8
--- /dev/null
+++ b/src/DockerFiles/wolfi-base-Dockerfile
@@ -0,0 +1,59 @@
+############################
+# Builder Stage
+############################
+# use chainguard hardened images with SBOM
+FROM cgr.dev/chainguard/wolfi-base as builder
+
+WORKDIR /offat
+
+ARG version=3.12
+
+ENV LANG=C.UTF-8
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+ENV PATH="/offat/.venv/bin:$PATH"
+
+
+RUN apk add python-${version} py${version}-pip && \
+        chown -R nonroot.nonroot /offat
+
+# install poetry and copy lock file
+RUN python -m pip install poetry
+COPY pyproject.toml poetry.lock README.md ./
+COPY offat ./offat
+
+# poetry config
+ENV POETRY_NO_INTERACTION=1 \
+    POETRY_VIRTUALENVS_IN_PROJECT=1 \
+    POETRY_VIRTUALENVS_CREATE=1 \
+    POETRY_CACHE_DIR=/tmp/poetry_cache
+
+RUN --mount=type=cache,target=$POETRY_CACHE_DIR poetry install -E api --without dev
+
+############################
+# runtime stage
+############################
+FROM cgr.dev/chainguard/wolfi-base as runtime
+
+WORKDIR /offat
+
+ARG version=3.12
+
+ENV LANG=C.UTF-8
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+ENV PATH="/offat/.venv/bin:$PATH"
+ENV VIRTUAL_ENV=/offat/.venv
+
+RUN apk add python-${version} py${version}-pip && \
+	    chown -R nonroot.nonroot /offat
+
+
+# copy venv from builder image
+COPY --from=builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
+
+# copy necessary files
+COPY offat ./offat
+COPY README.md CODE_OF_CONDUCT.md DISCLAIMER.md pyproject.toml .
+
+USER nonroot
\ No newline at end of file
diff --git a/src/Makefile b/src/Makefile
index 344d79a..4a9abc9 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -1,3 +1,11 @@
-build-local-images:
+build-slim-local-images:
 	@docker build -f DockerFiles/base-Dockerfile -t dmdhrumilmistry/offat-base .
-	@docker build -f DockerFiles/cli-Dockerfile -t dmdhrumilmistry/offat .
+	# @docker build -f DockerFiles/main/cli-Dockerfile -t dmdhrumilmistry/offat .
+
+build-local-image:
+	@docker build -f DockerFiles/wolfi-base-Dockerfile -t dmdhrumilmistry/offat-base . --no-cache --progress=plain
+
+scan-vulns:
+	@trivy image dmdhrumilmistry/offat-base --scanners vuln
+
+local: build-local-image scan-vulns