kuberhealthy · integrii · Apr 6, 2020 · Mar 31, 2020 · Mar 31, 2020 · Mar 31, 2020
diff --git a/.github/workflows/build-latest-ami-check.yml b/.github/workflows/build-latest-ami-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/ami-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/ami-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-check-reaper.yml b/.github/workflows/build-latest-check-reaper.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/check-reaper
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/check-reaper/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-daemonset-check.yml b/.github/workflows/build-latest-daemonset-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/daemonset-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/daemonset-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-deployment-check.yml b/.github/workflows/build-latest-deployment-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/deployment-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/deployment-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-dns-resolution-check.yml b/.github/workflows/build-latest-dns-resolution-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/dns-resolution-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/dns-resolution-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-http-check.yml b/.github/workflows/build-latest-http-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/http-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/http-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-http-content-check.yml b/.github/workflows/build-latest-http-content-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/http-content-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/http-content-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-kiam-check.yml b/.github/workflows/build-latest-kiam-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/kiam-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/kiam-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-pod-restarts-check.yml b/.github/workflows/build-latest-pod-restarts-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/pod-restarts-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/pod-restarts-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-pod-status-check.yml b/.github/workflows/build-latest-pod-status-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/pod-status-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/pod-status-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-resource-quota-check.yml b/.github/workflows/build-latest-resource-quota-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/resource-quota-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/resource-quota-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/.github/workflows/build-latest-test-external-check.yml b/.github/workflows/build-latest-test-external-check.yml
@@ -14,6 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: dockerfile sweep for best practices
+      uses: burdzwastaken/hadolint-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HADOLINT_ACTION_DOCKERFILE_FOLDER: cmd/test-external-check
+        HADOLINT_ACTION_COMMENT: false
     - name: build container
       run: docker build --file cmd/test-external-check/Dockerfile --tag $IMAGE_NAME .
     - name: Log into docker hub
@@ -22,3 +28,5 @@ jobs:
       run: |
           docker tag $IMAGE_NAME kuberhealthy/$IMAGE_NAME
           docker push kuberhealthy/$IMAGE_NAME
+    - name: scan docker image for vulnerabilities
+      run: curl -s https://ci-tools.anchore.io/inline_scan-v0.6.0 | bash -s -- -p -r kuberhealthy/$IMAGE_NAME:latest
diff --git a/cmd/ami-check/.test b/cmd/ami-check/.test
@@ -1 +1 @@
-"Final Test"
+"testing"
diff --git a/cmd/ami-check/Dockerfile b/cmd/ami-check/Dockerfile
@@ -1,9 +1,13 @@
-FROM golang AS builder
-ADD . /build
+FROM golang:1.13 AS builder
+RUN groupadd -g 999 user && \
+    useradd -r -u 999 -g user user
+COPY --chown=user:user . /build
 WORKDIR /build/cmd/ami-check
-RUN CGO_ENABLED=0 go build -v
-
+ENV CGO_ENABLED=0
+RUN go build -v
 FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+USER user
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /build/cmd/ami-check/ami-check /app/ami-check
 ENTRYPOINT ["/app/ami-check"]
diff --git a/cmd/ami-check/Makefile b/cmd/ami-check/Makefile
@@ -1,5 +1,5 @@
 build:
-	docker build -t kuberhealthy/ami-check:v1.1.0 -f Dockerfile ../../
+	docker build -t kuberhealthy/ami-check:v1.2.0 -f Dockerfile ../../
 
 push:
-		docker push kuberhealthy/ami-check:v1.1.0
+		docker push kuberhealthy/ami-check:v1.2.0
diff --git a/cmd/check-reaper/.test b/cmd/check-reaper/.test
@@ -1 +1 @@
-"Final Test"
+"testing 123"
diff --git a/cmd/check-reaper/Dockerfile b/cmd/check-reaper/Dockerfile
@@ -1,10 +1,13 @@
-FROM golang AS builder
-ADD . /build
+FROM golang:1.13 AS builder
+RUN groupadd -g 999 user && \
+    useradd -r -u 999 -g user user
+COPY --chown=user:user . /build
 WORKDIR /build/cmd/check-reaper
 ENV CGO_ENABLED=0
 RUN go build -v
-
 FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+USER user
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /build/cmd/check-reaper/check-reaper /app/check-reaper
 ENTRYPOINT ["/app/check-reaper"]
diff --git a/cmd/check-reaper/Makefile b/cmd/check-reaper/Makefile
@@ -1,5 +1,5 @@
 build:
-	docker build -t kuberhealthy/check-reaper:v1.2.1 -f Dockerfile ../../
+	docker build -t kuberhealthy/check-reaper:v1.3.1 -f Dockerfile ../../
 
 push:
-	docker push kuberhealthy/check-reaper:v1.2.1
+	docker push kuberhealthy/check-reaper:v1.3.1
diff --git a/cmd/daemonset-check/.test b/cmd/daemonset-check/.test
@@ -1 +1 @@
-"Final Test"
+"testing 123"
diff --git a/cmd/daemonset-check/Dockerfile b/cmd/daemonset-check/Dockerfile
@@ -1,12 +1,13 @@
-FROM golang:1.13-alpine AS builder
-RUN apk upgrade
-ADD . /build
+FROM golang:1.13 AS builder
+RUN groupadd -g 999 user && \
+    useradd -r -u 999 -g user user
+COPY --chown=user:user . /build
 WORKDIR /build/cmd/daemonset-check
 ENV CGO_ENABLED=0
-RUN go test -v
 RUN go build -v
-
 FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+USER user
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /build/cmd/daemonset-check/daemonset-check /app/daemonset-check
 ENTRYPOINT ["/app/daemonset-check"]
diff --git a/cmd/daemonset-check/Makefile b/cmd/daemonset-check/Makefile
@@ -1,5 +1,5 @@
 build:
-	docker build -t kuberhealthy/daemonset-check:v2.1.1 -f Dockerfile ../../
+	docker build -t kuberhealthy/daemonset-check:v2.2.1 -f Dockerfile ../../
 
 push:
-	docker push kuberhealthy/daemonset-check:v2.1.1
+	docker push kuberhealthy/daemonset-check:v2.2.1
diff --git a/cmd/deployment-check/.test b/cmd/deployment-check/.test
@@ -1 +1 @@
-"Final Test"
+"Test"
diff --git a/cmd/deployment-check/Dockerfile b/cmd/deployment-check/Dockerfile
@@ -1,9 +1,13 @@
-FROM golang AS builder
-ADD . /build
+FROM golang:1.13 AS builder
+RUN groupadd -g 999 user && \
+    useradd -r -u 999 -g user user
+COPY --chown=user:user . /build
 WORKDIR /build/cmd/deployment-check
-RUN CGO_ENABLED=0 go build -v
-
+ENV CGO_ENABLED=0
+RUN go build -v
 FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+USER user
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /build/cmd/deployment-check/deployment-check /app/deployment-check
 ENTRYPOINT ["/app/deployment-check"]
diff --git a/cmd/deployment-check/Makefile b/cmd/deployment-check/Makefile
@@ -1,5 +1,5 @@
 build:
-	docker build -t kuberhealthy/deployment-check:v1.2.4 -f Dockerfile ../../
+	docker build -t kuberhealthy/deployment-check:v1.3.4 -f Dockerfile ../../
 
 push:
-	docker push kuberhealthy/deployment-check:v1.2.4
+	docker push kuberhealthy/deployment-check:v1.3.4
diff --git a/cmd/dns-resolution-check/.test b/cmd/dns-resolution-check/.test
@@ -1 +1 @@
-"Final Test"
+"Test"
diff --git a/cmd/dns-resolution-check/Dockerfile b/cmd/dns-resolution-check/Dockerfile
@@ -1,11 +1,13 @@
-FROM golang AS builder
-ADD . /build
+FROM golang:1.13 AS builder
+RUN groupadd -g 999 user && \
+    useradd -r -u 999 -g user user
+COPY --chown=user:user . /build
 WORKDIR /build/cmd/dns-resolution-check
 ENV CGO_ENABLED=0
-RUN go test -v
 RUN go build -v
-
 FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+USER user
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /build/cmd/dns-resolution-check/dns-resolution-check /app/dns-resolution-check
 ENTRYPOINT ["/app/dns-resolution-check"]
diff --git a/cmd/dns-resolution-check/Makefile b/cmd/dns-resolution-check/Makefile
@@ -1,5 +1,5 @@
 build:
-	docker build -t kuberhealthy/dns-resolution-check:v1.1.0 -f Dockerfile ../../
+	docker build -t kuberhealthy/dns-resolution-check:v1.2.0 -f Dockerfile ../../
 
 push:
-	docker push kuberhealthy/dns-resolution-check:v1.1.0
+	docker push kuberhealthy/dns-resolution-check:v1.2.0
diff --git a/cmd/http-check/.test b/cmd/http-check/.test
@@ -1 +1 @@
-"Final Test"
+"Test"
diff --git a/cmd/http-check/Dockerfile b/cmd/http-check/Dockerfile
@@ -1,9 +1,13 @@
-FROM golang AS builder
-ADD . /build
+FROM golang:1.13 AS builder
+RUN groupadd -g 999 user && \
+    useradd -r -u 999 -g user user
+COPY --chown=user:user . /build
 WORKDIR /build/cmd/http-check
-RUN CGO_ENABLED=0 go build -v
-
+ENV CGO_ENABLED=0
+RUN go build -v
 FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+USER user
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /build/cmd/http-check/http-check /app/http-check
 ENTRYPOINT ["/app/http-check"]