FIX: Upgraded docker dependencies #607
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There were security issues reported in several components in the Dockerfile. This PR fixes them. It should not introduce any breaking changes, but this container does now run as a 'gitleaks' user. Issues reported: * 3 Vulnerabilities in Openssh v8.1_p1-r0 * 1 Vulnerability in busybox v 1.31.1-r9 * 1 Vulnerability in apk-tools v2.10.5-r0 * 1 CIS best practices issue - Container did not run as non-root Additional fixes/changes * Refactored Dockerfile to allow easier upgrades in the future through ARGuments. * Refactored makefile to support additional arguments * Refactored makefile with an IMAGE_PATH to make future container tests easier * Downgraded to openssh-client instead of openssh*. Having the openssh server in the container is a bad practice. * Did *not* version pin the APKs as that is against Alpine guidance Fixes gitleaks#562
zricethezav
reviewed
Aug 27, 2021
| @@ -33,18 +37,17 @@ release-builds: | |||
| rm -rf build | |||
| mkdir build | |||
| env GOOS="windows" GOARCH="amd64" go build -o "build/gitleaks-windows-amd64.exe" $(LDFLAGS) | |||
| env GOOS="windows" GOARCH="386" go build -o "build/gitleaks-windows-386.exe" $(LDFLAGS) | |||
| env GOOS="linux" GOARCH="amd64" go build -o "build/gitleaks-linux-amd64" $(LDFLAGS) | |||
| env GOOS="windows" GOARCH="386" go$(DOCKER_BUILD_ARGS) uild -o "build/gitleaks-linux-amd64" $(LDFLAGS) | |||
There was a problem hiding this comment.
@derekmurawsky Looks like there is a typo here. Also why is amd64 removed?
There was a problem hiding this comment.
Apologies for the delayed response, I missed the notification. Closing the loop on this: I'm honestly not sure. I think I may have fat fingered and removed the line by accident. The goal was to move the docker build args to a variable as changing them in multiple places was a bit of a pain when I was trying to build the container using my own version.
|
Closing this in favor of #615, I will still give you a shout out in the next release |
|
Sounds good! Thanks for patching it. :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There were security issues reported in several components in the
Dockerfile. This PR fixes them. It should not introduce any
breaking changes, but this container does now run as a 'gitleaks'
user.
Issues reported:
Additional fixes/changes
through ARGuments.
tests easier
openssh server in the container is a bad practice.
Fixes #562
NOTE: I was not able to scan using the proprietary twistlock tool.
Description:
Explain the purpose of the PR.
Checklist: