From c969ac468fc31b4ec55bbca3890c9f02fe1f7b16 Mon Sep 17 00:00:00 2001 From: huynaism Date: Wed, 13 Nov 2024 10:27:55 +0700 Subject: [PATCH 1/4] bump & enable pipeline --- .github/workflows/publish.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 138728e..cece15d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,6 +4,7 @@ on: push: branches: - 'main' + - 'devops/add-docker-sec' tags: - '*' @@ -25,7 +26,13 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.12.2 secrets: inherit with: - publish: true \ No newline at end of file + publish: true + docker_scan: true + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read \ No newline at end of file From 83d9cfef0b14d935ddb7703d562031a59c7ff34c Mon Sep 17 00:00:00 2001 From: huynaism Date: Wed, 13 Nov 2024 10:30:17 +0700 Subject: [PATCH 2/4] wrong ver --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index cece15d..25351f6 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -26,7 +26,7 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.12.2 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2 secrets: inherit with: publish: true From 50701b8a2bab4132b2cb32b673832e9fd1df2b1f Mon Sep 17 00:00:00 2001 From: huynaism Date: Wed, 13 Nov 2024 11:25:38 +0700 Subject: [PATCH 3/4] bump alpine to 3.20 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index dd8a327..dd21840 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,7 +40,7 @@ RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ LINK_STATICALLY=true \ make build -FROM alpine:3.16 AS run +FROM alpine:3.20 AS run # Create a user RUN addgroup --gid 1138 -S vigilante && adduser --uid 1138 -S vigilante -G vigilante RUN apk add bash curl jq From 2d539adf0f32e3ff5cd5cb8139194df3d3025e6c Mon Sep 17 00:00:00 2001 From: huynaism Date: Wed, 13 Nov 2024 11:50:05 +0700 Subject: [PATCH 4/4] bump alpine to resolve some CVEs --- Dockerfile | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index dd21840..33b33bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,10 +9,10 @@ ARG VERSION # Use muslc for static libs ARG BUILD_TAGS="muslc" - +# hadolint ignore=DL3018 RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \ pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \ - libzmq-static libsodium-static gcc + libzmq-static libsodium-static gcc && rm -rf /var/cache/apk/* # Build WORKDIR /go/src/github.com/babylonlabs-io/vigilante @@ -27,12 +27,13 @@ RUN if [ -n "${VERSION}" ]; then \ fi # Cosmwasm - Download correct libwasmvm version +SHELL ["/bin/ash", "-eo", "pipefail", "-c"] RUN WASMVM_VERSION=$(go list -m github.com/CosmWasm/wasmvm/v2 | cut -d ' ' -f 2) && \ - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \ - -O /lib/libwasmvm_muslc.$(uname -m).a && \ + wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \ + -O /lib/libwasmvm_muslc."$(uname -m)".a && \ # verify checksum - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ - sha256sum /lib/libwasmvm_muslc.$(uname -m).a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc.$(uname -m) | cut -d ' ' -f 1) + wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ + sha256sum /lib/libwasmvm_muslc."$(uname -m)".a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc."$(uname -m)" | cut -d ' ' -f 1) RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ CGO_ENABLED=1 \ @@ -43,7 +44,8 @@ RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ FROM alpine:3.20 AS run # Create a user RUN addgroup --gid 1138 -S vigilante && adduser --uid 1138 -S vigilante -G vigilante -RUN apk add bash curl jq +# hadolint ignore=DL3018 +RUN apk --no-cache add bash curl jq && rm -rf /var/cache/apk/* # Label should match your github repo LABEL org.opencontainers.image.source="https://github.com/babylonlabs-io/vigilante:${VERSION}"