fix(build): extract OPA 0.66 from OPA dev image

This workaround is required since OPA 0.65.0 (latest published release) has cve-2024-24790. After solved we can rollback to the previouw installation method.
aquasecurity · Jun 21, 2024 · 78d75f1 · 78d75f1
1 parent 66b7b5e
commit 78d75f1
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/builder/Dockerfile.alpine-tracee-container b/builder/Dockerfile.alpine-tracee-container
@@ -13,6 +13,12 @@ ARG GO_VERSION=1.22.0
 ARG OPA_VERSION=v0.63.0
 
 
+# This workaround is required since OPA 0.65.0 (latest published release) has cve-2024-24790.
+# After solved we can rollback to the commented installation lines below.
+#
+# Stage 1: Set the base image for the OPA extractor
+FROM openpolicyagent/opa:0.66.0-dev-static as opa-extractor
+
 #
 # tracee-base
 #
@@ -30,10 +36,13 @@ RUN apk --no-cache update && \
     apk --no-cache add libc6-compat
 
 # install OPA
-ARG OPA_VERSION
-RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
-    chmod 755 /usr/bin/opa
+
+# ARG OPA_VERSION
+# RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
+# curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
+# chmod 755 /usr/bin/opa
+
+COPY --from=opa-extractor /opa /usr/bin/opa
 
 #
 # tracee-make-base