-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile.slim
165 lines (154 loc) · 9.08 KB
/
Dockerfile.slim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
FROM twdps/circleci-base-image:slim-6.11.0
LABEL org.opencontainers.image.title="circleci-infra-gcp" \
org.opencontainers.image.description="Debian-based CircleCI executor image" \
org.opencontainers.image.documentation="https://github.com/ThoughtWorks-DPS/circleci-infra-gcp" \
org.opencontainers.image.source="https://github.com/ThoughtWorks-DPS/circleci-infra-gcp" \
org.opencontainers.image.url="https://github.com/ThoughtWorks-DPS/circleci-infra-gcp" \
org.opencontainers.image.vendor="ThoughtWorks, Inc." \
org.opencontainers.image.authors="sean.alvarez@thoughtworks.com" \
org.opencontainers.image.licenses="MIT" \
org.opencontainers.image.created="CREATED" \
org.opencontainers.image.version="VERSION"
ENV TERRAFORM_VERSION=1.6.1
ENV TERRAFORM_SHA256SUM=d1a778850cc44d9348312c9527f471ea1b7a9213205bb5091ec698f3dc92e2a6
ENV TFLINT_VERSION=0.48.0
ENV TFSEC_VERSION=1.28.4
ENV GCLOUD_VERSION=451.0.1
ENV GCLOUD_SHA256SUM=8446f6d837168d7d66dd192c2221c1081c16a2b93cb54642a6bfb7078cd3dd53
ENV CHECKOV_VERSION=2.5.6
ENV DRIFTCTL_VERSION=0.39.0
ENV CIRCLEPIPE_VERSION=0.2.0
ENV COSIGN_VERSION=2.2.0
ENV DEBIAN_FRONTEND=noninteractive
########## DEBIAN VERSIONS ##########
# renovate: datasource=repology depName=debian_13/wget versioning=loose
ENV WGET_VERSION="1.21.4-1+b1"
# renovate: datasource=repology depName=debian_13/jq versioning=loose
ENV JQ_VERSION="1.7-1"
# renovate: datasource=repology depName=debian_13/bzip2 versioning=loose
ENV BZIP2_VERSION="1.0.8-5+b1"
# renovate: datasource=repology depName=debian_13/unzip versioning=loose
ENV UNZIP_VERSION="6.0-28"
# renovate: datasource=repology depName=debian_13/gnupg2 versioning=loose
ENV GNUPG_VERSION="2.2.40-1.1"
# renovate: datasource=repology depName=debian_13/ruby-full versioning=loose
ENV RUBY_FULL_VERSION="1:3.1"
# renovate: datasource=repology depName=debian_13/python3-dev versioning=loose
ENV PYTHON3_DEV_VERSION="3.11.4-5+b1"
# renovate: datasource=repology depName=debian_13/python3-venv versioning=loose
ENV PYTHON3_VENV_VERSION="3.11.4-5+b1"
# renovate: datasource=repology depName=debian_13/lsb-release versioning=loose
ENV LSB_RELEASE_VERSION="12.0-2"
# renovate: datasource=repology depName=debian_13/g++ versioning=loose
ENV GPP_VERSION="4:13.2.0-1"
# renovate: datasource=repology depName=debian_13/gcc versioning=loose
ENV GCC_VERSION="4:13.2.0-1"
# renovate: datasource=repology depName=debian_13/make-dfsg versioning=loose
ENV MAKE_VERSION="4.3-4.1"
########## PYTHON VERSIONS ##########
# renovate: datasource=repology depName=pypi/setuptools versioning=loose
ENV SETUPTOOLS_VERSION="68.2.2"
# renovate: datasource=repology depName=pypi/wheel versioning=loose
ENV WHEEL_VERSION="0.41.3"
# renovate: datasource=repology depName=pypi/invoke versioning=loose
ENV INVOKE_VERSION="2.2.0"
# renovate: datasource=repology depName=pypi/requests versioning=loose
ENV REQUESTS_VERSION="2.31.0"
# renovate: datasource=repology depName=pypi/Jinja2 versioning=loose
ENV JINJA2_VERSION="3.1.2"
# renovate: datasource=repology depName=pypi/checkov versioning=loose
ENV CHECKOV_VERSION="3.0.14"
########## NPM VERSIONS ##########
# renovate: datasource=npm depName=snyk versioning=loose
ENV SNYK_VERSION="1.1237.0"
# renovate: datasource=npm depName=github-release-notes versioning=loose
ENV GITHUB_RELEASE_NOTES_VERSION="0.17.3"
# renovate: datasource=npm depName=bats versioning=loose
ENV BATS_VERSION="1.10.0"
########## RUBY VERSIONS ##########
# renovate: datasource=repology depName=rubygems/inspec-bin versioning=loose
ENV INSPEC_BIN_VERSION="5.22.3"
# renovate: datasource=repology depName=rubygems/json versioning=loose
ENV JSON_VERSION="2.6.3"
######### DOCKERFILE SCRIPT #########
SHELL ["/bin/bash", "-exo", "pipefail", "-c"]
ENV PATH=/usr/local/google-cloud-sdk/bin:/home/circleci/.rbenv/bin:$PATH:/usr/local/go/bin:/home/circleci/.cargo/bin
ENV GOPATH=/home/circleci/.go
# sudo since twdps circleci base images set the USER=cirlceci
# hadolint ignore=DL3004, SC2086
RUN sudo apt-get update && sudo apt-get install --no-install-recommends -y \
wget=${WGET_VERSION} \
jq=${JQ_VERSION} \
bzip2=${BZIP2_VERSION} \
unzip=${UNZIP_VERSION} \
gnupg=${GNUPG_VERSION} \
ruby-full=${RUBY_FULL_VERSION} \
python3-dev=${PYTHON3_DEV_VERSION} \
python3-pip \
python3-venv=${PYTHON3_VENV_VERSION} \
lsb-release=${LSB_RELEASE_VERSION} \
gcc=${GCC_VERSION} \
g++=${GPP_VERSION} \
make=${MAKE_VERSION} && \
sudo mkdir -p /etc/apt/keyrings && \
sudo bash -c "curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" && \
sudo bash -c "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bullseye stable\" | tee /etc/apt/sources.list.d/docker.list > /dev/null" && sudo apt-get update && \
sudo apt-get install --no-install-recommends -y \
docker-ce=5:24.0.6-1~debian.11~bullseye \
docker-compose-plugin=2.21.0-1~debian.11~bullseye \
nodejs=18.13.0+dfsg1-1 \
npm=9.2.0~ds1-1 && \
sudo ln -f -s /usr/bin/pip3 /usr/bin/pip && \
sudo ln -f -s /usr/bin/pydoc3 /usr/bin/pydoc && \
sudo ln -f -s /usr/bin/python3 /usr/bin/python && \
sudo ln -f -s /usr/bin/python3-config /usr/bin/python-config && \
sudo pip install --no-cache-dir --break-system-packages setuptools==${SETUPTOOLS_VERSION} && \
sudo pip install --no-cache-dir --break-system-packages \
wheel==${WHEEL_VERSION} \
invoke==${INVOKE_VERSION} \
requests==${REQUESTS_VERSION} \
jinja2==${JINJA2_VERSION} \
checkov==${CHECKOV_VERSION} && \
sudo gem install --no-document \
inspec-bin:${INSPEC_BIN_VERSION} \
json:${JSON_VERSION} && \
sudo npm install -g \
snyk@${SNYK_VERSION} \
github-release-notes@${GITHUB_RELEASE_NOTES_VERSION} \
bats@${BATS_VERSION} && \
curl -SLO "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" > "google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" && \
echo "${GCLOUD_SHA256SUM} google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" > "google-cloud-cli-${GCLOUD_VERSION}-SHA256SUMS" && \
sha256sum -c "google-cloud-cli-${GCLOUD_VERSION}-SHA256SUMS" && sudo rm "google-cloud-cli-${GCLOUD_VERSION}-SHA256SUMS" && \
sudo tar -xvzf "google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" -C /usr/local && \
rm "google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" && \
sudo chmod +x /usr/local/google-cloud-sdk/install.sh && \
sudo chown -R "$(whoami)" /usr/local/google-cloud-sdk && \
sh /usr/local/google-cloud-sdk/install.sh -q && \
curl -SLO "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" > "terraform_${TERRAFORM_VERSION}_linux_amd64.zip" && \
echo "${TERRAFORM_SHA256SUM} terraform_${TERRAFORM_VERSION}_linux_amd64.zip" > "terraform_${TERRAFORM_VERSION}_SHA256SUMS" && \
sha256sum -c "terraform_${TERRAFORM_VERSION}_SHA256SUMS" && sudo rm "terraform_${TERRAFORM_VERSION}_SHA256SUMS" && \
sudo unzip "terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -d /usr/local/bin && \
sudo rm "terraform_${TERRAFORM_VERSION}_linux_amd64.zip" && \
curl -SLO "https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip" > tflint_linux_amd64.zip && \
sudo unzip tflint_linux_amd64.zip -d /usr/local/bin && \
sudo rm tflint_linux_amd64.zip && \
curl -SLO https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/tfsec-linux-amd64 && \
chmod +x tfsec-linux-amd64 && \
sudo mv tfsec-linux-amd64 /usr/local/bin/tfsec && \
curl -L https://github.com/snyk/driftctl/releases/download/v${DRIFTCTL_VERSION}/driftctl_linux_amd64 -o driftctl && \
chmod +x driftctl && \
sudo mv driftctl /usr/local/bin/driftctl && \
curl -SLO https://github.com/ThoughtWorks-DPS/circlepipe/releases/download/${CIRCLEPIPE_VERSION}/circlepipe_Linux_amd64.tar.gz && \
mkdir ./circlepipe && tar -xzf circlepipe_Linux_amd64.tar.gz -C ./circlepipe && \
sudo mv ./circlepipe/circlepipe /usr/local/bin/circlepipe && \
sudo rm -rf ./circlepipe circlepipe_Linux_amd64.tar.gz && \
curl -LO https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 && \
chmod +x cosign-linux-amd64 && sudo mv cosign-linux-amd64 /usr/local/bin/cosign && \
sudo -u circleci mkdir /home/circleci/.gnupg && \
sudo -u circleci bash -c "echo 'allow-loopback-pinentry' > /home/circleci/.gnupg/gpg-agent.conf" && \
sudo -u circleci bash -c "echo 'pinentry-mode loopback' > /home/circleci/.gnupg/gpg.conf" && \
chmod 700 /home/circleci/.gnupg && chmod 600 /home/circleci/.gnupg/* && \
sudo apt-get clean && \
sudo rm -rf /var/lib/apt/lists/*
COPY inspec /etc/chef/accepted_licenses/inspec
USER circleci