ci: Add checkov in Github workflow #83
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,23 +17,23 @@ diverse, inclusive, and healthy community. | |
| Examples of behavior that contributes to a positive environment for our | ||
| community include: | ||
|
|
||
| - Demonstrating empathy and kindness toward other people | ||
| - Being respectful of differing opinions, viewpoints, and experiences | ||
| - Giving and gracefully accepting constructive feedback | ||
| - Accepting responsibility and apologizing to those affected by our mistakes, | ||
| and learning from the experience | ||
| - Focusing on what is best not just for us as individuals, but for the | ||
| overall community | ||
|
|
||
| Examples of unacceptable behavior include: | ||
|
|
||
| - The use of sexualized language or imagery, and sexual attention or | ||
| advances of any kind | ||
| - Trolling, insulting or derogatory comments, and personal or political attacks | ||
| - Public or private harassment | ||
| - Publishing others' private information, such as a physical or email | ||
| address, without their explicit permission | ||
| - Other conduct which could reasonably be considered inappropriate in a | ||
| professional setting | ||
|
|
||
| ## Enforcement Responsibilities | ||
|
|
@@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban. | |
| ### 4. Permanent Ban | ||
|
|
||
| **Community Impact**: Demonstrating a pattern of violation of community | ||
| standards, including sustained inappropriate behavior, harassment of an | ||
|
There was a problem hiding this comment. issue (documentation): Double space detected. There is a double space between 'behavior,' and 'harassment'. Please correct it to a single space. |
||
| individual, or aggression toward or disparagement of classes of individuals. | ||
|
|
||
| **Consequence**: A permanent ban from any sort of public interaction within | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,6 @@ | |
| [](LICENSE) | ||
|  | ||
|
|
||
| [](https://sonarcloud.io/summary/overall?id=dashmug_glue-utils) | ||
| [](https://sonarcloud.io/summary/overall?id=dashmug_glue-utils) | ||
| [](https://sonarcloud.io/summary/overall?id=dashmug_glue-utils) | ||
|
|
@@ -25,7 +24,6 @@ | |
| - [`GluePySparkJob`](#gluepysparkjob) | ||
| - [Other features](#other-features) | ||
|
|
||
| ## Usage in AWS Glue | ||
|
|
||
| To use `glue-utils` in AWS Glue, it needs to be added as an | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,53 +1,54 @@ | ||
| #checkov:skip=CKV_DOCKER_2: HEALTHCHECK is not needed for this container | ||
| # ----------------------- Base ----------------------- | ||
| FROM amazon/aws-glue-libs:glue_libs_4.0.0_image_01 as base | ||
|
|
||
| # Copy requirements file that contains tooling. | ||
| WORKDIR /home/glue_user/workspace | ||
|
|
||
| # hadolint ignore=DL3013 | ||
| RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user --upgrade pip \ | ||
| && mkdir -p docker | ||
|
|
||
|
|
||
| # ----------------------- Test ----------------------- | ||
| FROM base as test | ||
|
|
||
| COPY docker/requirements.txt docker/requirements.txt | ||
|
|
||
| RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user -r docker/requirements.txt | ||
|
|
||
| COPY src pyproject.toml README.md ./ | ||
|
|
||
| # Install this package. | ||
| RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user . | ||
|
|
||
|
|
||
| # --------------------- Coverage --------------------- | ||
| FROM base as coverage | ||
|
|
||
| # Pass the host user to the container. | ||
| ARG USER_ID | ||
|
|
||
| # Switch to root to be able to make changes in the container filesystem. | ||
| USER root | ||
|
|
||
| # Clean up /tmp which may already have glue_user-owned files with the | ||
| # old UID. | ||
| RUN rm -rf /tmp/* \ | ||
| # Change UID of glue_user to be the same as host user. This allows | ||
| # JupyterLab to write to the host system as glue_user. | ||
| && usermod -u $USER_ID glue_user | ||
|
|
||
| # Switch to glue_user to be able to make changes for the user itself. | ||
| USER glue_user | ||
|
|
||
| COPY docker/requirements.txt docker/requirements.txt | ||
|
|
||
| RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user -r docker/requirements.txt | ||
|
|
||
| COPY src pyproject.toml README.md ./ | ||
|
|
||
| # Install this package. | ||
| RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user . \ | ||
| # Prepare a /tmp directory needed by Spark to start. | ||
| && mkdir -p /tmp/spark-events | ||
|
Check warning Code scanning / checkov Ensure that HEALTHCHECK instructions have been added to container images Warning |
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚨 issue (security): Review the permissions granted to the Checkov job
The Checkov job is granted
actions: read,contents: read, andsecurity-events: writepermissions. Ensure that these permissions are necessary and follow the principle of least privilege to minimize security risks.