Skip to content

Commit

Permalink
Merge pull request #76 from OWASP/create-wolfi-docker-images
Browse files Browse the repository at this point in the history 
update dockerfiles for fixing CVEs in container images
  • Loading branch information
@dmdhrumilmistry
dmdhrumilmistry authored Apr 6, 2024
2 parents 3692ce2 + b328cbe commit 076b484
Show file tree
Hide file tree
Showing 4 changed files with 112 additions and 9 deletions.
13 changes: 7 additions & 6 deletions .github/workflows/dev-push.yml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
name: "Dev Release: Build and Push OWASP OFFAT Docker Images to DockerHub"
name: "Build and Push Dev/main OWASP OFFAT Docker Images to DockerHub"

on:
push:
branches:
- "main"
- "dev"

jobs:
Expand All @@ -24,31 +25,31 @@ jobs:
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/base-Dockerfile
file: ./src/DockerFiles/wolfi-base-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:dev
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:${{ github.head_ref || github.ref_name }}
platforms: linux/amd64,linux/arm64
- name: Build and push offat docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/dev/cli-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat:dev
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat:${{ github.head_ref || github.ref_name }}
platforms: linux/amd64,linux/arm64
- name: Build and push offat-api docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/dev/backend-api-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api:dev
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api:${{ github.head_ref || github.ref_name }}
platforms: linux/amd64,linux/arm64
- name: Build and push offat-api-worker docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/dev/backend-api-worker-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api-worker:dev
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api-worker:${{ github.head_ref || github.ref_name }}
platforms: linux/amd64,linux/arm64
37 changes: 36 additions & 1 deletion .github/workflows/release-push.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,46 @@ jobs:
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# Build and publish version tag image
- name: Build and push offat-base docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/base-Dockerfile
file: ./src/DockerFiles/wolfi-base-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:${{ github.event.release.tag_name }}
platforms: linux/amd64,linux/arm64
- name: Build and push offat docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/main/cli-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat:${{ github.event.release.tag_name }}
platforms: linux/amd64,linux/arm64
- name: Build and push offat-api docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/main/backend-api-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api:${{ github.event.release.tag_name }}
platforms: linux/amd64,linux/arm64
- name: Build and push offat-api-worker docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/main/backend-api-worker-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-api-worker:${{ github.event.release.tag_name }}
platforms: linux/amd64,linux/arm64

# Build and publish latest tag image
- name: Build and push offat-base docker image
uses: docker/build-push-action@v3
with:
context: ./src/
file: ./src/DockerFiles/wolfi-base-Dockerfile
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/offat-base:latest
platforms: linux/amd64,linux/arm64
Expand Down
59 changes: 59 additions & 0 deletions src/DockerFiles/wolfi-base-Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
############################
# Builder Stage
############################
# use chainguard hardened images with SBOM
FROM cgr.dev/chainguard/wolfi-base as builder

WORKDIR /offat

ARG version=3.12

ENV LANG=C.UTF-8
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV PATH="/offat/.venv/bin:$PATH"


RUN apk add python-${version} py${version}-pip && \
chown -R nonroot.nonroot /offat

# install poetry and copy lock file
RUN python -m pip install poetry
COPY pyproject.toml poetry.lock README.md ./
COPY offat ./offat

# poetry config
ENV POETRY_NO_INTERACTION=1 \
POETRY_VIRTUALENVS_IN_PROJECT=1 \
POETRY_VIRTUALENVS_CREATE=1 \
POETRY_CACHE_DIR=/tmp/poetry_cache

RUN --mount=type=cache,target=$POETRY_CACHE_DIR poetry install -E api --without dev

############################
# runtime stage
############################
FROM cgr.dev/chainguard/wolfi-base as runtime

WORKDIR /offat

ARG version=3.12

ENV LANG=C.UTF-8
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV PATH="/offat/.venv/bin:$PATH"
ENV VIRTUAL_ENV=/offat/.venv

RUN apk add python-${version} py${version}-pip && \
chown -R nonroot.nonroot /offat


# copy venv from builder image
COPY --from=builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}

# copy necessary files
COPY offat ./offat
COPY README.md CODE_OF_CONDUCT.md DISCLAIMER.md pyproject.toml .

USER nonroot
12 changes: 10 additions & 2 deletions src/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
build-local-images:
build-slim-local-images:
@docker build -f DockerFiles/base-Dockerfile -t dmdhrumilmistry/offat-base .
@docker build -f DockerFiles/cli-Dockerfile -t dmdhrumilmistry/offat .
# @docker build -f DockerFiles/main/cli-Dockerfile -t dmdhrumilmistry/offat .

build-local-image:
@docker build -f DockerFiles/wolfi-base-Dockerfile -t dmdhrumilmistry/offat-base . --no-cache --progress=plain

scan-vulns:
@trivy image dmdhrumilmistry/offat-base --scanners vuln

local: build-local-image scan-vulns

0 comments on commit 076b484

Please sign in to comment.