Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: go back to root user in Dockefile #103

Merged
merged 1 commit into from
Mar 19, 2024
Merged

fix: go back to root user in Dockefile #103

merged 1 commit into from
Mar 19, 2024

Conversation

jmeridth
Copy link
Member

@jmeridth jmeridth commented Mar 17, 2024
edited
Loading

Fixes: #101

Pull Request

Proposed Changes

Based on GitHub docs we will not be able to access the workspace of the GitHub Action without being the root user. As a non-root user we won't be able to write to $GITHUB_OUTPUT which is an environment variable that is a path inside the workspace and GitHub Actions using to handle output from the GitHub Action.

Once that was realized, this seems to be the only possible path.

fix: ignore checkov linter requiring user in Dockerfile (docs)

Running checkov locally

Note: CKV_DOCKER_3 is skipped

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	SKIPPED for resource: Dockerfile.
	Suppress comment: No comment provided
	File: Dockerfile:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

Readiness Checklist

Author/Contributor

  • If documentation is needed for this change, has that been included in this pull request
  • run make lint and fix any issues that you have introduced
  • run make test and ensure you have test coverage for the lines you are introducing

Reviewer

  • Label as either bug, documentation, enhancement, infrastructure, or breaking

@jmeridth jmeridth requested a review from zkoppert as a code owner March 17, 2024 06:59
@jmeridth
Copy link
Member Author

jmeridth commented Mar 17, 2024
edited
Loading

Other options: we do setup a non-root user with sudoer privileges. This should satisfy the security linter and still gives us the same privileges as root in the container. (yep, I understand still insecure)

@zkoppert zkoppert added the bug Something isn't working label Mar 18, 2024
@zkoppert
Copy link
Member

We will likely need to add something in the dockerfile or a config file to exempt the security rule being caught by the linter.

@jmeridth jmeridth force-pushed the jm-go-back-to-root-user-in-dockerfile branch from cb33298 to 0d0abf2 Compare March 18, 2024 22:21
@jmeridth
fix: go back to root user in Dockefile
eee235e 
Fixes: github#101

Based on [GitHub docs]() we will not be able to access the workspace
of the GitHub Action without being the root user.  As a non-root user
we won't be able to write to `$GITHUB_OUTPUT` which is an environment
variable that is a path inside the workspace and GitHub Actions
using to handle output from the GitHub Action.

Once that was realized, this seems to be the only possible path.

fix: ignore checkov linter requiring user in Dockerfile

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth force-pushed the jm-go-back-to-root-user-in-dockerfile branch from 0d0abf2 to eee235e Compare March 18, 2024 22:24
@jmeridth
Copy link
Member Author

@zkoppert updated and pushed with skip for user in Dockerfile

zkoppert
zkoppert approved these changes Mar 19, 2024
View reviewed changes
Copy link
Member

@zkoppert zkoppert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the follow up on this @jmeridth!

@zkoppert zkoppert merged commit d55bacb into github:main Mar 19, 2024
7 checks passed
@jmeridth jmeridth deleted the jm-go-back-to-root-user-in-dockerfile branch March 19, 2024 18:44
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
f802801 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
0cf6771 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth mentioned this pull request Mar 20, 2024
Merged
10 tasks
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
472e461 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
- [x] add missing --- at top of stale.yml github action (makes warning happy)

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
c9e5c69 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
f29e44d 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
  - rename file to .python-lint (default that superlinter looks for)
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6
- [x] update README with permissions best practices in examples

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
9d3eced 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
  - rename file to .python-lint (default that superlinter looks for)
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6
- [x] update README with permissions best practices in examples

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
a933045 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
  - rename file to .python-lint (default that superlinter looks for)
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6
- [x] update README with permissions best practices in examples

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
0e274d3 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
  - rename file to .python-lint (default that superlinter looks for)
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6
- [x] update README with permissions best practices in examples

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
907ccb9 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
  - rename file to .python-lint (default that superlinter looks for)
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6
- [x] update README with permissions best practices in examples

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
46c52a1 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
  - rename file to .python-lint (default that superlinter looks for)
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6
- [x] update README with permissions best practices in examples

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added a commit to jmeridth/cleanowners that referenced this pull request Mar 20, 2024
@jmeridth
chore: fix linting issues to allow upgrade to supelinter6
4dfccdf 
- [x] add skips for checkov
  - can't add user due to needing root access [context](github/stale-repos#103)
  - add health check endpoint - not there yet
- [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file
  - use .flake8 config in Makefile
- [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it
  - rename file to .python-lint (default that superlinter looks for)
- [x] add missing --- at top of stale.yml github action (makes warning happy)
- [x] update super-linter to v6
- [x] update README with permissions best practices in examples

there might be a few other linting errors, but I'm not able to recreate locally currently

Signed-off-by: jmeridth <jmeridth@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zkoppert zkoppert zkoppert approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Permission error on GITHUB_OUTPUT Still present
2 participants
@jmeridth @zkoppert