Skip to content

fix: Dockerfile to reduce vulnerabilities #18

fix: Dockerfile to reduce vulnerabilities

fix: Dockerfile to reduce vulnerabilities #18

Workflow file for this run

name: CI
# About steps requiring the GITGUARDIAN_API_KEY:
#
# For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This
# causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered
# by a pull request from a fork.
on:
pull_request:
push:
branches:
- '*'
tags-ignore:
- '*'
paths-ignore:
- 'doc/**'
- 'README.md'
jobs:
lint:
name: Lint package
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.8
uses: actions/setup-python@v5
with:
python-version: 3.8
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install pipenv==2023.10.3 pre-commit
pipenv install --dev --skip-lock
- uses: actions/cache@v3
with:
path: ~/.cache/pre-commit
key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
- name: Install pre-commit hooks
run: pre-commit install --install-hooks
- name: Skip ggshield hooks when running from a fork
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ github.event.pull_request.head.repo.fork }}
run: |
echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV
- name: Run pre-commit checks
run: |
pre-commit run --show-diff-on-failure --all-files
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
- name: Check commit messages
if: github.event_name == 'pull_request'
run: |
PR_REF="${GITHUB_REF%/merge}/head"
git fetch origin "$PR_REF"
if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" | grep '^fixup!' ; then
echo 'Error: this pull request contains fixup commits. Squash them.'
exit 1
fi
# In case `git log` fails
exit "${PIPESTATUS[0]}"
build:
name: Build and Test
runs-on: ${{ matrix.os }}
env:
# We skip pipenv lockfile by default, because a Pipfile.lock should only
# be used for the Python version it was generated for.
PIPENV_SKIP_LOCK: 1
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-2022]
python-version: ['3.8', '3.9', '3.10', '3.11']
steps:
- uses: actions/checkout@v4
with:
# Get enough commits to run `ggshield secret scan commit-range` on ourselves
fetch-depth: 10
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Use Pipfile.lock on locked version of Python
# Keep version in sync with scripts/update-pipfile-lock/Dockerfile
if: matrix.python-version == '3.10'
run: |
echo "PIPENV_SKIP_LOCK=0" >> $GITHUB_ENV
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade pipenv==2023.10.3
pipenv install --system --dev
# Hack: workaround urllib3 still being installed on windows-2022 builder
pip install --force-reinstall 'urllib3<2'
- name: Install Windows dev dependencies
if: matrix.os == 'windows-2022'
run: |
# Those are win32-only dependencies from pytest
python -m pip install atomicwrites colorama
- name: Override base Docker image used for functional tests on Windows
if: matrix.os == 'windows-2022'
# This is required because GitHub Windows runner is not configured to
# run Linux-based Docker images
shell: bash
run: |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV
- name: Ensure a clean package installation
run: |
pip install build wheel check-wheel-contents
python -m build --wheel
# The created wheel (.whl) file will be found and analyzed within the `dist/` folder
check-wheel-contents dist/
- name: Run unit tests
run: |
coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit
- name: Gather coverage report
run: |
coverage report --fail-under=80
coverage xml
- uses: codecov/codecov-action@v3
with:
file: ./coverage.xml
flags: unittests
name: codecov-umbrella
fail_ci_if_error: false
- name: Run functional tests
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
shell: bash
run: |
make functest
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}
build-standalone:
name: Standalone exe
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-2022
- macos-14
steps:
- uses: actions/checkout@v4
with:
# Get enough commits to run `ggshield secret scan commit-range` on ourselves
fetch-depth: 10
- name: Set up Python 3.10
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install normal dependencies
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade pipenv==2023.10.3
pipenv install --system --dev
env:
# Disable lock otherwise Windows-only dependencies like colorama are not installed
PIPENV_SKIP_LOCK: 1
- name: Install standalone-specific dependencies
run: |
python -m pip install --upgrade pyinstaller
- name: Build
shell: bash
run: |
scripts/build-standalone-exe
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: ggshield-standalone-${{ matrix.os }}
path: |
dist/ggshield-standalone-*.gz
dist/ggshield-standalone-*.zip
- name: Override base Docker image used for functional tests on Windows
if: matrix.os == 'windows-2022'
# This is required because GitHub Windows runner is not configured to
# run Linux-based Docker images
shell: bash
run: |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV
- name: Functional tests
shell: bash
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
run: |
scripts/build-standalone-exe functests
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}
build_packages:
# This job ensures the build-packages script is tested on each build, not only at release time
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
# Warning: changes on this step should be reflected in workflows/tag.yml
- name: Install packaging tools
shell: bash
run: |
curl -L https://github.com/goreleaser/nfpm/releases/download/v2.15.0/nfpm_amd64.deb -o nfpm_amd64.deb
sudo dpkg -i nfpm_amd64.deb
pip install shiv==1.0.1 build
# Append the abbreviated git sha1 to the version number to avoid confusing
# these packages with those produced at release time
- name: Fake version number
shell: bash
run: |
version=$(git describe --tags | sed -e 's/^v//' -e 's/-[0-9]*-g/+/')
echo "Set version number to '$version'"
sed -i "s/__version__ = .*/__version__ = \"$version\"/" ggshield/__init__.py
- name: Create packages
shell: bash
run: scripts/build-packages/build-packages
# Make packages downloadable from the workflow page
- name: Upload packages
uses: actions/upload-artifact@v3
with:
name: packages
path: |
dist
packages
test_github_secret_scan_action:
name: Test GitHub action for `secret scan`
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan commits for hardcoded secrets
uses: ./actions-unstable/secret
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
test_github_iac_scan_action:
name: Test GitHub action for `iac scan`
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan commits for IaC vulnerabilities
uses: ./actions-unstable/iac
with:
args: .
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
test_github_sca_scan_action:
name: Test GitHub action for `sca scan`
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan commits for SCA vulnerabilities
uses: ./actions-unstable/sca
with:
args: .
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
dockerhub-unstable:
name: Push Docker image to Docker Hub
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
needs:
- lint
- build
- test_github_iac_scan_action
- test_github_sca_scan_action
- test_github_secret_scan_action
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and push
uses: docker/build-push-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: gitguardian/ggshield
tags: unstable
github_packages-unstable:
name: Push Docker image to GitHub Packages
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
needs:
- lint
- build
- test_github_iac_scan_action
- test_github_sca_scan_action
- test_github_secret_scan_action
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Push to GitHub Packages
uses: docker/build-push-action@v1
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: docker.pkg.github.com
repository: gitguardian/ggshield/ggshield
tags: unstable