Docker FROM image pinning (#1337)
* Add script to check docker pinning project wide * Add workflow to run check-docker-pin * Pin Docker image refs which were unpinned * Add exceptions to the pin checking logic * Fixes to check-docker-pin * Clean up find command * Bash optimizations * Switch to env shebang * Switch from find to git ls-files and add justification for ignore choices
This commit is contained in:
parent
f856240792
commit
0919f29dc3
|
@ -160,3 +160,10 @@ jobs:
|
|||
with:
|
||||
command: test
|
||||
args: --workspace --manifest-path ${{ matrix.manifest }}
|
||||
docker:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out source
|
||||
uses: actions/checkout@v2
|
||||
- run: chmod 755 ./scripts/check-docker-pin.sh
|
||||
- run: ./scripts/check-docker-pin.sh
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# syntax=docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2
|
||||
FROM docker.io/fedora:34 AS const-build
|
||||
FROM docker.io/fedora:34@sha256:321dbc444dfeda328a85dc3c31545a65c1fae8390aa5ba6dc1f5222b53b42697 AS const-build
|
||||
|
||||
ARG num_guardians
|
||||
ENV NUM_GUARDIANS=$num_guardians
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# syntax=docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2
|
||||
FROM docker.io/python:3.10
|
||||
FROM docker.io/python:3.10@sha256:eeed7cac682f9274d183f8a7533ee1360a26acb3616aa712b2be7896f80d8c5f
|
||||
|
||||
# Support additional root CAs
|
||||
COPY README.md cert.pem* /certs/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM ubuntu:20.04
|
||||
FROM ubuntu:20.04@sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19
|
||||
ARG channel
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
ARG GO_VERSION=1.18.2
|
||||
FROM golang:$GO_VERSION as algorand-algod
|
||||
FROM golang:$GO_VERSION@sha256:04fab5aaf4fc18c40379924674491d988af3d9e97487472e674d0b5fd837dfac as algorand-algod
|
||||
|
||||
# Support additional root CAs
|
||||
COPY config.dev cert.pem* /certs/
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
ARG GO_VERSION=1.18.2
|
||||
FROM golang:$GO_VERSION-alpine
|
||||
FROM golang:$GO_VERSION-alpine@sha256:4795c5d21f01e0777707ada02408debe77fe31848be97cf9fa8a1462da78d949
|
||||
|
||||
# Support additional root CAs
|
||||
COPY config.dev cert.pem* /certs/
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# This script is checks to that all our Docker images are pinned to a specific SHA256 hash
|
||||
#
|
||||
# References as to why...
|
||||
# - https://nickjanetakis.com/blog/docker-tip-18-please-pin-your-docker-image-versions
|
||||
# - https://snyk.io/blog/10-docker-image-security-best-practices/ (Specifically: USE FIXED TAGS FOR IMMUTABILITY)
|
||||
#
|
||||
# Explaination of regex ignore choices
|
||||
# - We ignore sha256 because it suggests that the image dep is pinned
|
||||
# - We ignore scratch because it's literally the docker base image
|
||||
# - We ignore solana AS (builder|ci_tests) because it's a relative reference to another FROM call
|
||||
#
|
||||
git ls-files | grep "Dockerfile*" | xargs grep -s "FROM" | egrep -v 'sha256|scratch|solana AS (builder|ci_tests)'
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "[!] Unpinned docker files" >&2
|
||||
exit 1
|
||||
else
|
||||
echo "[+] No unpinned docker files"
|
||||
fi
|
|
@ -1,4 +1,4 @@
|
|||
FROM alpine:3.14
|
||||
FROM alpine:3.14@sha256:06b5d462c92fc39303e6363c65e074559f8d6b1363250027ed5053557e3398c5
|
||||
|
||||
# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
|
||||
RUN addgroup -S -g 1000 redis && adduser -S -G redis -u 999 redis
|
||||
|
|
Loading…
Reference in New Issue