-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
150 lines (99 loc) · 5.33 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
ARG ALPINE_VERSION=3.20
# Semgrep build is currently broken on alpine > 3.19
FROM alpine:3.19 AS build-semgrep-core
ARG SEMGREP_VERSION=v1.85.0
RUN apk add --no-cache bash build-base git make opam
RUN opam init --compiler=4.14.0 --disable-sandboxing --no
RUN opam switch 4.14.0
WORKDIR /src
RUN git clone --recurse-submodules --branch ${SEMGREP_VERSION} --depth=1 --single-branch https://github.com/semgrep/semgrep
WORKDIR /src/semgrep
ARG OPAMSOLVERTIMEOUT=600
# note that we do not run 'make install-deps-for-semgrep-core' here because it
# configures and builds ocaml-tree-sitter-core too; here we are
# just concerned about installing external packages to maximize docker caching.
RUN make install-deps-ALPINE-for-semgrep-core && \
make install-opam-deps
RUN apk add --no-cache zstd libpsl-utils
RUN make install-deps-for-semgrep-core
ARG DUNE_PROFILE=release
RUN eval "$(opam env)" && \
make minimal-build && \
# Sanity check
/src/semgrep/_build/default/src/main/Main.exe -version
FROM golang:alpine$ALPINE_VERSION AS build-prerequisites
ARG GRYPE_VERSION=v0.78.0
ARG SYFT_VERSION=v1.5.0
ARG GITLEAKS_VERSION=v8.18.3
ARG GATECHECK_VERSION=v0.8.0
ARG ORAS_VERSION=v1.2.0
RUN apk --no-cache add ca-certificates git make
WORKDIR /app
RUN git clone --branch ${GRYPE_VERSION} --depth=1 --single-branch https://github.com/anchore/grype /app/grype
RUN git clone --branch ${SYFT_VERSION} --depth=1 --single-branch https://github.com/anchore/syft /app/syft
RUN git clone --branch ${GITLEAKS_VERSION} --depth=1 --single-branch https://github.com/zricethezav/gitleaks /app/gitleaks
RUN git clone --branch ${GATECHECK_VERSION} --depth=1 --single-branch https://github.com/easy-up/gatecheck /app/gatecheck
RUN git clone --branch ${ORAS_VERSION} --depth=1 --single-branch https://github.com/oras-project/oras /app/oras
RUN cd /app/grype && \
go build -ldflags="-w -s -extldflags '-static' -X 'main.version=${GRYPE_VERSION}' -X 'main.gitCommit=$(git rev-parse HEAD)' -X 'main.buildDate=$(date -u +%Y-%m-%dT%H:%M:%SZ)' -X 'main.gitDescription=$(git log -1 --pretty=%B)'" -o /usr/local/bin ./cmd/grype
RUN cd /app/syft && \
go build -ldflags="-w -s -extldflags '-static' -X 'main.version=${SYFT_VERSION}' -X 'main.gitCommit=$(git rev-parse HEAD)' -X 'main.buildDate=$(date -u +%Y-%m-%dT%H:%M:%SZ)' -X 'main.gitDescription=$(git log -1 --pretty=%B)'" -o /usr/local/bin ./cmd/syft
RUN cd /app/gitleaks && \
go build -ldflags="-s -w -X=github.com/zricethezav/gitleaks/v8/cmd.Version=${GITLEAKS_VERSION}" -o /usr/local/bin .
RUN cd /app/gatecheck && \
go build -ldflags="-s -w -X 'main.cliVersion=$(git describe --tags)' -X 'main.gitCommit=$(git rev-parse HEAD)' -X 'main.buildDate=$(date -u +%Y-%m-%dT%H:%M:%SZ)' -X 'main.gitDescription=$(git log -1 --pretty=%B)'" -o /usr/local/bin ./cmd/gatecheck
RUN cd /app/oras && \
make build-linux-amd64 && \
mv bin/linux/amd64/oras /usr/local/bin/oras
FROM golang:alpine$ALPINE_VERSION AS build
ARG VERSION
ARG GIT_COMMIT
ARG GIT_DESCRIPTION
# install build dependencies
RUN apk add --no-cache git
WORKDIR /app/src
COPY go.* .
# pre-fetch dependencies
RUN go mod download
COPY cmd ./cmd
COPY pkg ./pkg
RUN mkdir -p ../bin && \
go build -ldflags="-X 'main.cliVersion=${VERSION}' -X 'main.gitCommit=${GIT_COMMIT}' -X 'main.buildDate=$(date -u +%Y-%m-%dT%H:%M:%SZ)' -X 'main.gitDescription=${GIT_DESCRIPTION}'" -o ../bin/portage ./cmd/portage
FROM alpine:$ALPINE_VERSION AS portage-base
RUN apk --no-cache add git ca-certificates tzdata clamav
COPY --from=build-prerequisites /usr/local/bin/grype /usr/local/bin/grype
COPY --from=build-prerequisites /usr/local/bin/syft /usr/local/bin/syft
COPY --from=build-prerequisites /usr/local/bin/gitleaks /usr/local/bin/gitleaks
COPY --from=build-prerequisites /usr/local/bin/gatecheck /usr/local/bin/gatecheck
COPY --from=build-prerequisites /usr/local/bin/oras /usr/local/bin/oras
COPY --from=build-semgrep-core /src/semgrep/_build/default/src/main/Main.exe /usr/local/bin/osemgrep
COPY --from=build /app/bin/portage /usr/local/bin/portage
WORKDIR /app
ENV PORTAGE_CODE_SCAN_SEMGREP_EXPERIMENTAL="true"
ENTRYPOINT ["portage"]
LABEL org.opencontainers.image.title="portage-docker"
LABEL org.opencontainers.image.description="A standalone tool for secure, continuous delivery"
LABEL org.opencontainers.image.licenses="Apache-2.0"
LABEL io.artifacthub.package.readme-url="https://github.com/easy-up/portage-cd/blob/main/README.md"
LABEL io.artifacthub.package.license="Apache-2.0"
FROM portage-base AS portage-podman
# Install podman CLIs
RUN apk update && apk add --no-cache podman fuse-overlayfs
COPY docker/storage.conf /etc/containers/
COPY docker/containers.conf /etc/containers/
RUN addgroup -S podman && adduser -S podman -G podman && \
echo podman:10000:5000 > /etc/subuid && \
echo podman:10000:5000 > /etc/subgid
COPY docker/rootless-containers.conf /home/podman/.config/containers/containers.conf
RUN mkdir -p /home/podman/.local/share/containers
RUN chown podman:podman -R /home/podman
VOLUME /var/lib/containers
VOLUME /home/podman/.local/share/containers
RUN mkdir -p /var/lib/clamav
RUN chown podman /var/lib/clamav && chown podman /etc/clamav
RUN chmod g+w /var/lib/clamav
LABEL org.opencontainers.image.title="portage-podman"
FROM portage-base
# Install docker CLI
RUN apk update && apk add --no-cache docker-cli-buildx
LABEL org.opencontainers.image.title="portage-docker"