Merge pull request #8 from Demonsthere/feat/nonroot-image

feat: make image nonroot
rueian · May 31, 2023 · 1a7aa96 · 1a7aa96
2 parents 96de439 + 68b4726
commit 1a7aa96
Show file tree

Hide file tree

Showing 6 changed files with 127 additions and 143 deletions.
diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -0,0 +1,84 @@
+name: Docker Image Scanners
+on:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "v*.*.*"
+  pull_request:
+    branches:
+      - "master"
+
+jobs:
+  scanners:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Env
+        id: vars
+        shell: bash
+        run: |
+          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build images
+        shell: bash
+        run: |
+          IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
+      - name: Anchore Scanner
+        uses: anchore/scan-action@v3
+        id: grype-scan
+        with:
+          image: rueian/gke-hubble:${{ env.SHA_SHORT }}
+          fail-build: true
+          severity-cutoff: high
+          add-cpes-if-none: true
+      - name: Inspect action SARIF report
+        shell: bash
+        if: ${{ always() }}
+        run: |
+          echo "::group::Anchore Scan Details"
+          jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
+          echo "::endgroup::"
+      - name: Anchore upload scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Trivy Scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ always() }}
+        with:
+          image-ref: rueian/gke-hubble:${{ env.SHA_SHORT }}
+          format: "table"
+          exit-code: "42"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          scanners: "vuln,secret,config"
+      - name: Dockle Linter
+        uses: erzz/[email protected]
+        if: ${{ always() }}
+        with:
+          image: rueian/gke-hubble:${{ env.SHA_SHORT }}
+          exit-code: 42
+          failure-threshold: high
+      - name: Hadolint
+        uses: hadolint/[email protected]
+        id: hadolint
+        if: ${{ always() }}
+        with:
+          dockerfile: Dockerfile
+          verbose: true
+          format: "json"
+          failure-threshold: "error"
+      - name: View Hadolint results
+        if: ${{ always() }}
+        shell: bash
+        run: |
+          echo "::group::Hadolint Scan Details"
+          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "::endgroup::"
diff --git a/Dockerfile b/Dockerfile
@@ -3,12 +3,13 @@
 FROM golang:1.18 AS build
 ENV GOCACHE="/gobuildcache"
 ENV GOPATH="/go"
+ENV CGO_ENABLED=0
 WORKDIR /src
-ADD . /src
+COPY . /src
 RUN --mount=type=cache,target=/gobuildcache \
     --mount=type=cache,target=/go/pkg/mod/cache \
     ls cmd | xargs -I {} go build -o /{} cmd/{}/main.go
 
-FROM gcr.io/distroless/base-debian11 AS export
+FROM gcr.io/distroless/static-debian11:nonroot AS export
 COPY --from=build /export /
 ENTRYPOINT ["/export"]
diff --git a/Makefile b/Makefile
@@ -0,0 +1,9 @@
+export IMAGE_TAG := $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
+export DOCKER_BUILDKIT := 1
+export COMPOSE_DOCKER_CLI_BUILD := 1
+export DOCKER_CONTENT_TRUST := 1 
+
+# Build local docker image
+.PHONY: docker
+docker:
+	docker build -f Dockerfile -t rueian/gke-hubble:${IMAGE_TAG} .
diff --git a/dockerbuild.sh b/dockerbuild.sh
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/rueian/gke-hubble-export
 go 1.18
 
 require (
-	github.com/cilium/cilium v1.12.0
+	github.com/cilium/cilium v1.12.9
 	google.golang.org/grpc v1.48.0
 	google.golang.org/protobuf v1.28.0
 )
@@ -42,7 +42,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
 	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
@@ -65,22 +65,22 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
 	go.mongodb.org/mongo-driver v1.8.3 // indirect
-	golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.6 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apimachinery v0.24.2 // indirect
-	k8s.io/client-go v0.24.2 // indirect
+	k8s.io/apimachinery v0.24.13 // indirect
+	k8s.io/client-go v0.24.13 // indirect
 	k8s.io/klog/v2 v2.60.1 // indirect
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
 
 replace (