Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release v2.0.0: Run ASH as non-root user, add explicit CI stage #109

Open
wants to merge 46 commits into
base: main
Choose a base branch
from
Open

Release v2.0.0: Run ASH as non-root user, add explicit CI stage #109

wants to merge 46 commits into from
+370 −180

Conversation

rafaelpereyra
Copy link
Contributor

@rafaelpereyra rafaelpereyra commented Oct 28, 2024
edited by scrthq
Loading

Issue #, if available:

N/A

Description of changes:

v2.0.0

Breaking Changes

  • Building ASH images for use in CI platforms (or other orchestration platforms that may require elevated access within the container) now requires targeting the ci stage of the Dockerfile:

via ash CLI

ash --no-run --build-target ci

via docker or other OCI CLI

docker build --tag automated-security-helper:ci --target ci .

Features

  • Run ASH as non-root user to align with security best practices.
  • Create a CI version of the docker file that still runs as root to comply with the different requirements from building platforms where UID/GID cannot be modified and there are additional agents installed at runtime that requires elevated privileges.

Fixes

  • Offline mode now skips NPM/PNPM/Yarn Audit checks (requires connection to registry to pull package information)
  • NPM install during image build now restricts available memory to prevent segmentation fault

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

climbertjh2 and others added 29 commits April 29, 2024 12:36
@climbertjh2
feat: run ASH image using non-root user
f8d6c23
@climbertjh2
feat: run ASH image using non-root user
13c903c
@climbertjh2
feat: run ASH image using non-root user
ed5ff23
@climbertjh2
feat: run ASH image using non-root user
28f304a
@climbertjh2
feat: run ASH image using non-root user
6654e55
@climbertjh2
feat: run ASH image using non-root user
55f30df
@climbertjh2
feat: run ASH image using non-root user
89ad81d
@climbertjh2
feat: run ASH image using non-root user
f2bf018
@climbertjh2
feat: run ASH image using non-root user
ad8ccd8
@climbertjh2
feat: run ASH image using non-root user
82df7b0
@climbertjh2
feat: run ASH image using non-root user
f681a3b
@climbertjh2
feat: run ASH image using non-root user
f23f392
@climbertjh2
feat: run ASH image using non-root user
683bf42
@climbertjh2
feat: run ASH image using non-root user
46e15b1
@climbertjh2
feat: run ASH image using non-root user
40f49b7
@climbertjh2
Merge branch 'main' into feature/78/run-container-non-root
0051166
@climbertjh2
chore: fix auto-merge updates
0f748d7
@climbertjh2
Merge branch 'main' into feature/78/run-container-non-root
ce6cfff
@climbertjh2
fix: always set UID/GID build-arg values when building the ASH contai…
e41adbb 
…ner image
@climbertjh2
Merge branch 'main' into feature/78/run-container-non-root
6e0c800
@climbertjh2
chore: fix EOL characters in file
26c83de
@climbertjh2
Merge branch 'awslabs:main' into feature/78/run-container-non-root
e5d85fe
@climbertjh2
Merge branch 'feature/78/run-container-non-root' of github.com:climbe…
b579ef1 
…rtjh2/automated-security-helper into feature/78/run-container-non-root
@awsmadi
Add additional checks for build expiry and ignoring Checkov/NPM Audit…
a2d8da8 
… in offline mode
@awsmadi
Fail on old builds
a47771b
@awsmadi
Add override for build expiration seconds
c1f3980
@scrthq
feat: #comment updated yaml-docker-execute.sh to run Checkov differen…
6116e5a 
…tly in offline mode so findings are still captured
@rapgaws
Merge remote-tracking branch 'origin/main' into climbertjh2-feature/7…
20b7e71 
…8/run-container-non-root
@rafaelpereyra
Fixed Grype database permissions
e8b4621
climbertjh2
climbertjh2 requested changes Oct 28, 2024
View reviewed changes
Copy link
Contributor

@climbertjh2 climbertjh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting one minor change.

Dockerfile Outdated Show resolved Hide resolved
scrthq
scrthq previously approved these changes Nov 1, 2024
View reviewed changes
@rafaelpereyra
Copy link
Contributor Author

Includes changes from #79

@rafaelpereyra rafaelpereyra changed the title Merge from main ASH Running as non-root user Nov 1, 2024
scrthq
scrthq previously approved these changes Nov 1, 2024
View reviewed changes
awsmadi
awsmadi previously approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@awsmadi awsmadi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great!

climbertjh2
climbertjh2 previously approved these changes Nov 13, 2024
View reviewed changes
Copy link
Contributor

@climbertjh2 climbertjh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me.

I understand the addition of --target to the command-line options, since it is similar to the docker build command-line option of --target. However, in the context of the ash command-line, I think it might cause some confusion.

Also, in the command-line help, it says image to build - it probably should say image to run/build.

@scrthq scrthq dismissed stale reviews from climbertjh2 and awsmadi via bb4c68f December 2, 2024 19:50
@scrthq
Merge branch 'climbertjh2-feature/78/run-container-non-root' into fea…
a798e02 
…t/offline-mode-expansion
@scrthq
Merge pull request #106 from awslabs/feat/offline-mode-expansion
4dbd880 
Add additional checks for build expiry and ignoring Checkov/NPM Audit during offline mode
@scrthq scrthq changed the title ASH Running as non-root user Release v2.0.0: Run ASH as non-root user, add explicit CI stage Dec 2, 2024
scrthq
scrthq previously approved these changes Dec 3, 2024
View reviewed changes
climbertjh2
climbertjh2 approved these changes Dec 3, 2024
View reviewed changes
Copy link
Contributor

@climbertjh2 climbertjh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a couple smoke tests - this looks OK to me. Approving.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awsmadi awsmadi awsmadi approved these changes

@climbertjh2 climbertjh2 climbertjh2 approved these changes

@scrthq scrthq scrthq left review comments

@begimher begimher Awaiting requested review from begimher

@orsifacundo orsifacundo Awaiting requested review from orsifacundo

@nbbgithub nbbgithub Awaiting requested review from nbbgithub

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rafaelpereyra @climbertjh2 @scrthq @awsmadi @rapgaws