Merge pull request #6 from theredguild/develop

unified docker container, remove DinD

.devcontainer/devcontainer.json

@@ -1,8 +1,11 @@
 {
-    "name": "Security Tools",
-    "image": "mcr.microsoft.com/devcontainers/base:debian-12",
+    "name": "OSS Security Tools",
+
+    "build": {
+        "dockerfile": "../Dockerfile"
+    },
+
     "features": {
-        "ghcr.io/devcontainers/features/docker-in-docker:2.12.0": {}
     },
 
     "customizations": {
@@ -19,5 +22,5 @@
         "DOCKER_CLI_EXPERIMENTAL": "enabled"
     },
 
-    "remoteUser": "vscode"
+    "remoteUser": "wanderer"
 }

.github/workflows/test-tools.yml

@@ -4,9 +4,13 @@ on:
   push:
     branches:
       - main
+    paths:
+      - Dockerfile
   pull_request:
     branches:
       - main
+    paths:
+      - Dockerfile
 
 jobs:
   build-and-test:
@@ -16,6 +20,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Build and test container
-        run: |
-          make test
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build container
+        uses: docker/build-push-action@v6
+        with:
+          push: false
+          context: .
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: theredguild/container-sec-tools:latest

Dockerfile

@@ -1,15 +1,134 @@
-# Already Dockerized tools
-FROM aquasec/trivy:latest AS trivy
-FROM ghcr.io/trufflesecurity/trufflehog:latest AS trufflehog
-
 FROM debian:bookworm-slim AS final
 
-# Install tools from their Docker images
-COPY --from=trivy /usr/local/bin/trivy /usr/local/bin/trivy
-RUN echo "trivy" >> /tools.txt
+# Set environment variables for the user and group
+ARG USERNAME=wanderer
+ARG GROUPNAME=trg
+ARG USER_UID=1000
+ARG USER_GID=1000
+
+# Install required packages
+RUN apt-get update && apt-get install -y \
+    curl \
+    wget \
+    git \
+    build-essential \
+    python3 \
+    python3-venv \
+    python3-dev \
+    python3-pip \
+    gnupg \
+    dirmngr \
+    ca-certificates \
+    libssl-dev \
+    zlib1g-dev \
+    libbz2-dev \
+    libreadline-dev \
+    libsqlite3-dev \
+    libffi-dev \
+    liblzma-dev \
+    zsh \
+    pipx \
+    sudo \
+    # # Does this make sense with asdf installing nodejs?
+    npm \
+    vim \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create a user group named trg and a user named wanderer with specified UID and GID
+RUN groupadd --gid $USER_GID $GROUPNAME && \
+useradd --uid $USER_UID --gid $USER_GID --create-home $USERNAME
+
+# Configure passwordless sudo for the user wanderer
+RUN echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+# Optionally, add the user to the sudo group
+RUN usermod -aG sudo $USERNAME
+
+# Switch to the new user
+USER $USERNAME
+
+# Set the default shell to zsh
+ENV SHELL=/usr/bin/zsh
+
+# Running everything under zsh
+SHELL ["/usr/bin/zsh", "-c"]
+
+RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.14.1 \
+    && echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc \
+    && echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc \
+    && echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc \
+    && . $HOME/.asdf/asdf.sh 
+
+# Install Node.js and Go using asdf
+RUN . $HOME/.asdf/asdf.sh \
+    && asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git \
+    && asdf install nodejs latest \
+    && asdf global nodejs latest \
+    && sudo npm install -g pnpm
+
+RUN . $HOME/.asdf/asdf.sh \
+    && asdf plugin add golang https://github.com/asdf-community/asdf-golang.git \
+    && asdf install golang latest \
+    && asdf global golang latest
+
+# # Install pnpm using npm installed via asdf Node.js
+# RUN sudo npm install -g pnpm
+
+ENV PNPM_HOME="/home/${USERNAME}/.local/share/pnpm"
+ENV PATH="$PNPM_HOME:$PNPM_HOME/global/node_modules/.bin:${PATH}"
+
+# Install ESLint and plugins using pnpm
+RUN pnpm install -g eslint \
+    eslint-plugin-security \
+    eslint-plugin-no-unsanitized \
+    eslint-plugin-no-secrets
+
+# Install additional npm tools using pnpm
+RUN pnpm install -g node-version-audit \
+    yarn-audit-fix \
+    better-npm-audit \
+    installed-check
+
+# Set GOBIN to /usr/local/bin for Go binaries
+ENV GOBIN=/usr/local/bin
+
+# Install gitxray
+RUN . $HOME/.asdf/asdf.sh \
+    go install github.com/kulkansecurity/gitxray@latest
+
+# Install git-secrets
+RUN git clone https://github.com/awslabs/git-secrets.git $HOME/secrets \
+    && cd $HOME/secrets \
+    && sudo make install \
+    && rm -rf $HOME/secrets
+
+# Install detect-secrets
+RUN pipx install detect-secrets
+
+# Install pmapper
+RUN pipx install pmapper
+
+# Install gh-fake-analyzer
+RUN cd $HOME \
+    && git clone https://github.com/shortdoom/gh-fake-analyzer.git \
+    && cd gh-fake-analyzer \
+    && python3 -m venv gfa \
+    && source gfa/bin/activate \
+    && pip install -r requirements.txt \
+    && exit
+
+# Install Trivy
+RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null \
+    && echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list \
+    && sudo apt-get update && sudo apt-get install -y trivy
+
+# Install Trufflehog
+RUN wget -qO - https://github.com/trufflesecurity/trufflehog/releases/download/v3.82.6/trufflehog_3.82.6_linux_$(dpkg --print-architecture).tar.gz | \
+    sudo tar -xzf - trufflehog -C /usr/local/bin
 
-COPY --from=trufflehog /usr/bin/trufflehog /usr/bin/trufflehog
-RUN echo "trufflehog" >> /tools.txt
+# Clean up
+RUN sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/*
 
-WORKDIR /workdir
+# Set working directory
+WORKDIR /home/${USERNAME}
 CMD ["/bin/bash"]

Makefile

@@ -1,7 +1,7 @@
-.PHONY: build clean exec run test help list
+.PHONY: build clean exec help
 
 IMAGE_NAME := security-tools
-.DEFAULT_GOAL := list
+.DEFAULT_GOAL := help
 
 ifneq (,$(filter run,$(firstword $(MAKECMDGOALS))))
   ARGS := $(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS))
@@ -15,20 +15,13 @@ help:
 	@echo "Targets:"
 	@echo "  build    Build the Docker image"
 	@echo "  exec     Run an interactive shell inside the container"
-	@echo "  test     Run tests to verify the Docker image and tools"
-	@echo "  list     List the installed tools"
 	@echo "  clean    Remove the Docker image"
 	@echo ""
-	@echo "Optional target with parameters:"
-	@echo "  run      Run a command inside the Docker container"
-	@echo ""
 	@echo "Examples:"
 	@echo "  make"
 	@echo "  make build"
 	@echo "  make exec"
-	@echo "  make test"
 	@echo "  make clean"
-	@echo "  make run trivy image python:3.4-alpine"
 	@echo ""
 
 build:
@@ -44,39 +37,3 @@ exec: build
 clean:
 	@echo "Removing Docker image: $(IMAGE_NAME)"
 	-@docker rmi $(IMAGE_NAME)
-
-run: build
-	@echo "Running command inside the $(IMAGE_NAME) container..."
-	@docker run --rm -it -v $(PWD):/workdir $(IMAGE_NAME) $(ARGS)
-
-test: build
-	@echo "Running tests to verify the $(IMAGE_NAME) image and tools..."
-	@docker run --rm -v $(PWD):/workdir $(IMAGE_NAME) /bin/bash -c "\
-		echo 'Testing installed tools...'; \
-		if [ -f /tools.txt ]; then \
-			for tool in \$$(cat /tools.txt); do \
-				echo 'Testing' \$$tool '...'; \
-				\$$tool --version || echo '\$tool failed'; \
-				echo ''; \
-			done; \
-			echo 'All tests completed successfully.'; \
-		else \
-			echo 'No tools found to test.'; \
-			exit 1; \
-		fi \
-	"
-
-list: build help
-	@if ! docker images $(IMAGE_NAME) | awk '{ print $$1 }' | grep -q "^$(IMAGE_NAME)$$"; then \
-		echo "Docker image '$(IMAGE_NAME)' not found. Please run 'make build' first."; \
-		exit 1; \
-	fi
-	@docker run --rm $(IMAGE_NAME) /bin/bash -c "\
-		if [ -f /tools.txt ]; then \
-			echo ''; \
-			echo 'Installed Tools:'; \
-			cat /tools.txt; \
-		else \
-			echo 'No tools found.'; \
-		fi \
-	"

README.md

@@ -11,23 +11,11 @@ Usage:
 Targets:
   build    Build the Docker image
   exec     Run an interactive shell inside the container
-  test     Run tests to verify the Docker image and tools
-  list     List the installed tools
   clean    Remove the Docker image
 
-Optional target with parameters:
-  run      Run a command inside the Docker container
-
 Examples:
   make
   make build
   make exec
-  make test
   make clean
-  make run trivy image python:3.4-alpine
-
-
-Installed Tools:
-trivy
-trufflehog
 ```