diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index fd45552e..4a3e7efc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,12 +5,13 @@ # # This line indicates we will use the hook from ibm/detect-secrets to run scan during committing phase. # Whitewater/whitewater-detect-secrets would sync code to ibm/detect-secrets upon merge. +repos: - repo: https://github.com/ibm/detect-secrets # If you desire to use a specific version of detect-secrets, you can replace `master` with other git revisions such as branch, tag or commit sha. # You are encouraged to use static refs such as tags, instead of branch name # # Running "pre-commit autoupdate" would automatically updates rev to latest tag - rev: master + rev: 0.13.1+ibm.46.dss hooks: - id: detect-secrets # pragma: whitelist secret # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options. diff --git a/.secrets.baseline b/.secrets.baseline index 3b944aa0..53c9facd 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.*|^.secrets.baseline$", "lines": null }, - "generated_at": "2021-03-24T13:13:24Z", + "generated_at": "2021-09-28T15:42:12Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -11,6 +11,9 @@ { "name": "ArtifactoryDetector" }, + { + "name": "AzureStorageKeyDetector" + }, { "base64_limit": 4.5, "name": "Base64HighEntropyString" @@ -25,8 +28,12 @@ "name": "CloudantDetector" }, { + "ghe_instance": "github.ibm.com", "name": "GheDetector" }, + { + "name": "GitHubTokenDetector" + }, { "hex_limit": 3, "name": "HexHighEntropyString" @@ -47,6 +54,9 @@ { "name": "MailchimpDetector" }, + { + "name": "NpmDetector" + }, { "name": "PrivateKeyDetector" }, @@ -56,6 +66,9 @@ { "name": "SoftlayerDetector" }, + { + "name": "SquareOAuthDetector" + }, { "name": "StripeDetector" }, @@ -69,7 +82,7 @@ "hashed_secret": "ad5781cc8192e1e8247b3174bb14b2177c16d71c", "is_secret": false, "is_verified": false, - "line_number": 143, + "line_number": 170, "type": "Secret Keyword", "verified_result": null }, @@ -77,7 +90,7 @@ "hashed_secret": "05baadf86b23d3dafaf432263a7cf24d0287a350", "is_secret": false, "is_verified": false, - "line_number": 200, + "line_number": 227, "type": "Secret Keyword", "verified_result": null }, @@ -85,7 +98,7 @@ "hashed_secret": "13010f67cb54ac2a32bc6c4a5a7ab38133a11fa8", "is_secret": false, "is_verified": false, - "line_number": 203, + "line_number": 230, "type": "Secret Keyword", "verified_result": null } @@ -641,7 +654,7 @@ } ] }, - "version": "0.13.1+ibm.29.dss", + "version": "0.13.1+ibm.46.dss", "word_list": { "file": null, "hash": null diff --git a/Dockerfile b/Dockerfile index dd9d66b5..516cd975 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,49 @@ -FROM golang:1.16.5 as golang - +FROM registry.access.redhat.com/ubi8/go-toolset:1.15.14-10 as gobuild +# This first stage of the build is purely to build the Golang binary for Portieris ARG VERSION=undefined -WORKDIR /go/src/github.com/IBM/portieris -RUN mkdir -p /go/src/github.com/IBM/portieris +# Work within the /opt/app-root/src working directory of the UBI go-toolset image +WORKDIR /opt/app-root/src/github.com/IBM/portieris +RUN mkdir -p /opt/app-root/src/github.com/IBM/portieris +# Create directory to store the built binary +RUN mkdir -p /opt/app-root/bin COPY . ./ RUN CGO_ENABLED=0 GOOS=linux go build \ -ldflags="-X github.com/IBM/portieris/internal/info.Version=$VERSION" -a \ - -tags containers_image_openpgp -o ./bin/portieris ./cmd/portieris + -tags containers_image_openpgp -o /opt/app-root/bin/portieris ./cmd/portieris + + +################################################################################# +# Use another intermediary step to identify and extract the minimum content required for the runtime image. +# The purpose of this is to keep the image size and attack surface as small as possible, +# while providing enough information for vulnerability scanning tools to inspect it. +FROM registry.access.redhat.com/ubi8/s2i-base:latest as installer +RUN yum upgrade -y +# prep target rootfs for scratch container +WORKDIR / +RUN mkdir /image && \ + ln -s usr/bin /image/bin && \ + ln -s usr/sbin /image/sbin && \ + ln -s usr/lib64 /image/lib64 && \ + ln -s usr/lib /image/lib && \ + mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev} +# see files.txt for a list of needed files from the UBI image to copy into our +# final "FROM scratch" image; this would need to be modified if any additional +# content was required from UBI for the Portieris binary to function. +COPY files.txt /tmp +RUN tar cf /tmp/files.tar -T /tmp/files.txt && tar xf /tmp/files.tar -C /image/ \ + && strip --strip-unneeded /image/usr/lib64/*[0-9].so +RUN rpm --root /image --initdb \ + && PACKAGES=$(rpm -qf $(cat /tmp/files.txt) | grep -v "is not owned by any package" | sort -u) \ + && echo dnf install -y 'dnf-command(download)' \ + && dnf download --destdir / ${PACKAGES} \ + && rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done` + +################################################################################# +# Finally, copy the minimal image contents and the built binary into the scratch image FROM scratch -COPY --from=golang /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -COPY --from=golang /go/src/github.com/IBM/portieris/bin/portieris /portieris +COPY --from=installer /image/ / +COPY --from=gobuild /opt/app-root/bin/portieris /portieris # Create /tmp for logs and /run for working directory RUN [ "/portieris", "--mkdir", "/tmp,/run" ] WORKDIR /run diff --git a/files.txt b/files.txt new file mode 100644 index 00000000..560cc448 --- /dev/null +++ b/files.txt @@ -0,0 +1,21 @@ +etc/pki +root/buildinfo +usr/lib64/ld-2.28.so +usr/lib64/ld-linux-x86-64.so.2 +usr/lib64/libc-2.28.so +usr/lib64/libc.so +usr/lib64/libc.so.6 +usr/lib64/libssl.so +usr/lib64/libssl.so.1.1 +usr/lib64/libdl-2.28.so +usr/lib64/libdl.so +usr/lib64/libdl.so.2 +usr/lib64/libpthread-2.28.so +usr/lib64/libpthread.so +usr/lib64/libpthread.so.0 +usr/lib64/libm-2.28.so +usr/lib64/libm.so +usr/lib64/libm.so.6 +etc/ssl/certs +etc/redhat-release +usr/share/zoneinfo