From 5cf0ca57d58a3e74bbd2d811c1f897cbb703acd3 Mon Sep 17 00:00:00 2001 From: antm-pp Date: Fri, 23 Feb 2024 18:40:14 +0100 Subject: [PATCH 01/18] fix-workaround: Checkov install fails aarch64. Awaiting checkov version which bumps rustworkx >0.14.0 this adds rust, cargo and keeps gcc to allow source compile for aarch64. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 83d0bc05b..ae758faf9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,10 +66,10 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ + apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1 rust cargo; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ - apk del gcc libffi-dev musl-dev \ + apk del libffi-dev musl-dev rust cargo \ ) \ ; fi From 63f4bef8c20cbfe4f4c369f6153a2cf239bd2176 Mon Sep 17 00:00:00 2001 From: antm-pp Date: Fri, 23 Feb 2024 19:58:38 +0100 Subject: [PATCH 02/18] fix: Docker Checkov - Keep libgcc and remove gcc for compatibility with checkov bin during build stage --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index ae758faf9..07cb34233 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,10 +66,10 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1 rust cargo; \ + apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1 libgcc rust cargo; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ - apk del libffi-dev musl-dev rust cargo \ + apk del gcc libffi-dev musl-dev rust cargo \ ) \ ; fi From 7014fa0b2d98b6d07f826399715674171de75c43 Mon Sep 17 00:00:00 2001 From: antm-pp Date: Fri, 23 Feb 2024 21:09:57 +0100 Subject: [PATCH 03/18] fix:checkob install - pinned apk versions --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 07cb34233..f5a7b51d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,7 +66,7 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1 libgcc rust cargo; \ + apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1 libgcc=~12 rust=~1 cargo=~1; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ apk del gcc libffi-dev musl-dev rust cargo \ From 3d854909a2e5030d4861f74d094aa914b32ca53e Mon Sep 17 00:00:00 2001 From: antm-pp Date: Fri, 23 Feb 2024 21:39:30 +0100 Subject: [PATCH 04/18] Add comments on package dependencies and re-order --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f5a7b51d9..f2c3a8023 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,7 +66,9 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1 libgcc=~12 rust=~1 cargo=~1; \ + # gcc rust cargo musl-dev required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 + # gcc libffi-dev musl-dev libffi-dev required for compilation of cffi, until it contains musl aarch64 + apk add --no-cache cargo=~1 gcc=~12 libffi-dev=~3 libgcc=~12 musl-dev=~1 rust=~1 ; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ apk del gcc libffi-dev musl-dev rust cargo \ From a13a9832de824433e3eaf463d91d3242e191b863 Mon Sep 17 00:00:00 2001 From: antm-pp Date: Fri, 23 Feb 2024 23:30:20 +0100 Subject: [PATCH 05/18] fix: Docker Checkov install: Added gcc container check --- .github/.container-structure-test-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index 60107655e..95e05f8ba 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -15,6 +15,11 @@ commandTests: args: ["-version"] expectedOutput: ["^Terraform v([0-9]+\\.){2}[0-9]+\\non linux_amd64\\n$"] + - name: "gcc" + command: "gcc" + args: ["--version"] + expectedOutput: ["^gcc \(Alpine 12\..*$"] + - name: "checkov" command: "checkov" args: ["--version"] From 42d77d952b3a96328e0df5dc34a81d0b609ef68b Mon Sep 17 00:00:00 2001 From: antm-pp Date: Sat, 24 Feb 2024 01:10:56 +0100 Subject: [PATCH 06/18] fix: Docker checkov install: reorder values and comments on package installs for checkov --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index f2c3a8023..4a78009d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,12 +66,12 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - # gcc rust cargo musl-dev required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 - # gcc libffi-dev musl-dev libffi-dev required for compilation of cffi, until it contains musl aarch64 + # cargo, gcc, git, musl-dev, and rust required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 + # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 apk add --no-cache cargo=~1 gcc=~12 libffi-dev=~3 libgcc=~12 musl-dev=~1 rust=~1 ; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ - apk del gcc libffi-dev musl-dev rust cargo \ + apk del cargo gcc libffi-dev musl-dev rust \ ) \ ; fi From f46e8f8a493ecc302d5dfa0e6ea14d35f11555ab Mon Sep 17 00:00:00 2001 From: antm-pp Date: Sat, 24 Feb 2024 01:28:12 +0100 Subject: [PATCH 07/18] fix: Docker Checkov Install: Container structure test: regex excape character syntax --- .github/.container-structure-test-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index 95e05f8ba..8980b7d04 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -18,7 +18,7 @@ commandTests: - name: "gcc" command: "gcc" args: ["--version"] - expectedOutput: ["^gcc \(Alpine 12\..*$"] + expectedOutput: ["^gcc \\(Alpine 12\\..*$"] - name: "checkov" command: "checkov" From 9b58092fc651dfc44d026f09ed13cbb1cdfb2fb7 Mon Sep 17 00:00:00 2001 From: antm-pp <132563905+antm-pp@users.noreply.github.com> Date: Sat, 24 Feb 2024 01:37:43 +0100 Subject: [PATCH 08/18] Update .github/.container-structure-test-config.yaml Co-authored-by: George L. Yermulnik --- .github/.container-structure-test-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index 8980b7d04..8cbf7e4de 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -18,7 +18,7 @@ commandTests: - name: "gcc" command: "gcc" args: ["--version"] - expectedOutput: ["^gcc \\(Alpine 12\\..*$"] + expectedOutput: ["^gcc \\(Alpine 12\\."] - name: "checkov" command: "checkov" From 3e0d6794cadd3f452d106c2be4626b14cdeb9d60 Mon Sep 17 00:00:00 2001 From: antm-pp Date: Sat, 24 Feb 2024 01:55:02 +0100 Subject: [PATCH 09/18] fix: Docker Checkov Install: Use git fetch for crates for consistency (https connections to crates.io seems unreliable) --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4a78009d7..f0bb94f04 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,12 +66,13 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - # cargo, gcc, git, musl-dev, and rust required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 + # cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 - apk add --no-cache cargo=~1 gcc=~12 libffi-dev=~3 libgcc=~12 musl-dev=~1 rust=~1 ; \ + export CARGO_NET_GIT_FETCH_WITH_CLI=true && \ + apk add --no-cache cargo=~1 gcc=~12 git=~2 libffi-dev=~3 libgcc=~12 musl-dev=~1 rust=~1 ; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ - apk del cargo gcc libffi-dev musl-dev rust \ + apk del cargo gcc git libffi-dev musl-dev rust \ ) \ ; fi From 54e5ea2f2d682c1b552ec759d20f517e2650991f Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 7 Mar 2024 22:22:57 +0200 Subject: [PATCH 10/18] fix(dockerfile): Deal with "successful silent fails" during `docker build` --- Dockerfile | 66 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 83d0bc05b..5471a865c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,8 +17,10 @@ ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest} # Install pre-commit -RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \ - || pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION} +RUN if [ ${PRE_COMMIT_VERSION} = "latest" ]; \ + then pip3 install --no-cache-dir pre-commit; \ + else pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION}; \ + fi # Install terraform because pre-commit needs it RUN if [ "${TERRAFORM_VERSION}" = "latest" ]; then \ @@ -67,8 +69,10 @@ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ - [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ - || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ + if [ "$CHECKOV_VERSION" = "latest" ]; \ + then pip3 install --no-cache-dir checkov; \ + else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ + fi; \ apk del gcc libffi-dev musl-dev \ ) \ ; fi @@ -78,8 +82,10 @@ RUN . /.env && \ if [ "$INFRACOST_VERSION" != "false" ]; then \ ( \ INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \ - [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ - || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ + if [ "$INFRACOST_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz; \ + else curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz; \ + fi; \ ) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \ ; fi @@ -88,8 +94,10 @@ RUN . /.env && \ if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \ ( \ TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ - [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ - || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ + if [ "$TERRAFORM_DOCS_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz; \ + else curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz; \ + fi; \ ) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \ ; fi @@ -98,8 +106,10 @@ RUN . /.env \ && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \ ( \ TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ - [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ - || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ + if [ "$TERRAGRUNT_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt; \ + else curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt; \ + fi; \ ) && chmod +x terragrunt \ ; fi @@ -112,8 +122,10 @@ RUN . /.env && \ OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \ ( \ TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \ - [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ - || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ + if [ "$TERRASCAN_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz; \ + else curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz; \ + fi; \ ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \ ./terrascan init \ ; fi @@ -123,8 +135,10 @@ RUN . /.env && \ if [ "$TFLINT_VERSION" != "false" ]; then \ ( \ TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ - [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ - || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ + if [ "$TFLINT_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip; \ + else curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip; \ + fi; \ ) && unzip tflint.zip && rm tflint.zip \ ; fi @@ -133,8 +147,10 @@ RUN . /.env && \ if [ "$TFSEC_VERSION" != "false" ]; then \ ( \ TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ - [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ - || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ + if [ "$TFSEC_VERSION" = "latest" ]; then \ + curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec; \ + else curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec; \ + fi; \ ) && chmod +x tfsec \ ; fi @@ -144,8 +160,10 @@ RUN . /.env && \ if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \ ( \ TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \ - [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ - || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ + if [ "$TRIVY_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz; \ + else curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz; \ + fi; \ ) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \ ; fi @@ -154,8 +172,10 @@ RUN . /.env && \ if [ "$TFUPDATE_VERSION" != "false" ]; then \ ( \ TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \ - [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ - || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ + if [ "$TFUPDATE_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz; \ + else curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz; \ + fi; \ ) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \ ; fi @@ -164,8 +184,10 @@ RUN . /.env && \ if [ "$HCLEDIT_VERSION" != "false" ]; then \ ( \ HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \ - [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ - || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ + if [ "$HCLEDIT_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz; \ + else curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz; \ + fi; \ ) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \ ; fi From 8798d3b4a96003f6113f947d3863b40fba656090 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 7 Mar 2024 23:28:57 +0200 Subject: [PATCH 11/18] fix Checkov? --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5471a865c..d47537516 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,8 +70,8 @@ RUN . /.env && \ ( \ apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ if [ "$CHECKOV_VERSION" = "latest" ]; \ - then pip3 install --no-cache-dir checkov; \ - else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ + then pip3 install --no-cache-dir checkov || exit 1; \ + else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || exit 1; \ fi; \ apk del gcc libffi-dev musl-dev \ ) \ From c3322d07931d834f5460ad95a7450b7af7592cb8 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Thu, 7 Mar 2024 23:45:45 +0200 Subject: [PATCH 12/18] Try use checkov binary. Checkov still needs all deps installed by pip --- Dockerfile | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index d47537516..6c5c22c71 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,13 +70,40 @@ RUN . /.env && \ ( \ apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ if [ "$CHECKOV_VERSION" = "latest" ]; \ - then pip3 install --no-cache-dir checkov || exit 1; \ - else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || exit 1; \ + then pip3 install --no-cache-dir checkov || SILENT_FAIL=true; \ + else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || SILENT_FAIL=true; \ fi; \ - apk del gcc libffi-dev musl-dev \ + apk del gcc libffi-dev musl-dev; \ + + if [ "$SILENT_FAIL" = "true" ]; then \ + if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="X86_64"; fi; \ + ( \ + CHECKOV_RELEASES="https://api.github.com/repos/bridgecrewio/checkov/releases" && \ + if [ "$CHECKOV_VERSION" = "latest" ]; \ + then curl -L "$(curl -s ${CHECKOV_RELEASES}/latest | grep -o -E -m 1 "https://.+?checkov_${TARGETOS}_${ARCH}.+.zip")" > checkov.zip; \ + else curl -L "$(curl -s ${CHECKOV_RELEASES} | grep -o -E "https://.+?/v${CHECKOV_VERSION}/checkov_${TARGETOS}_${ARCH}_${CHECKOV_VERSION}.zip")" > checkov.zip; \ + fi; \ + ) && unzip checkov.zip && mv dist/checkov checkov && rm -rf checkov.zip dist/ \ + ; fi; \ ) \ ; fi + +# Checkov +# RUN . /.env && \ +# if [ "$CHECKOV_VERSION" != "false" ]; then \ +# if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="X86_64"; fi; \ +# ( \ +# CHECKOV_RELEASES="https://api.github.com/repos/bridgecrewio/checkov/releases" && \ +# if [ "$CHECKOV_VERSION" = "latest" ]; \ +# then curl -L "$(curl -s ${CHECKOV_RELEASES}/latest | grep -o -E -m 1 "https://.+?checkov_${TARGETOS}_${ARCH}.+.zip")" > checkov.zip; \ +# else curl -L "$(curl -s ${CHECKOV_RELEASES} | grep -o -E "https://.+?/v${CHECKOV_VERSION}/checkov_${TARGETOS}_${ARCH}_${CHECKOV_VERSION}.zip")" > checkov.zip; \ +# fi; \ +# ) && unzip checkov.zip && mv dist/checkov checkov && rm -rf checkov.zip dist/ \ +# ; fi + + + # infracost RUN . /.env && \ if [ "$INFRACOST_VERSION" != "false" ]; then \ From 875999c20580e53138da73141e9ef5f81a0e8076 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Fri, 8 Mar 2024 00:34:00 +0200 Subject: [PATCH 13/18] Revert "Try use checkov binary. Checkov still needs all deps installed by pip" This reverts commit c3322d07931d834f5460ad95a7450b7af7592cb8. --- Dockerfile | 33 +++------------------------------ 1 file changed, 3 insertions(+), 30 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6c5c22c71..d47537516 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,40 +70,13 @@ RUN . /.env && \ ( \ apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ if [ "$CHECKOV_VERSION" = "latest" ]; \ - then pip3 install --no-cache-dir checkov || SILENT_FAIL=true; \ - else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || SILENT_FAIL=true; \ + then pip3 install --no-cache-dir checkov || exit 1; \ + else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || exit 1; \ fi; \ - apk del gcc libffi-dev musl-dev; \ - - if [ "$SILENT_FAIL" = "true" ]; then \ - if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="X86_64"; fi; \ - ( \ - CHECKOV_RELEASES="https://api.github.com/repos/bridgecrewio/checkov/releases" && \ - if [ "$CHECKOV_VERSION" = "latest" ]; \ - then curl -L "$(curl -s ${CHECKOV_RELEASES}/latest | grep -o -E -m 1 "https://.+?checkov_${TARGETOS}_${ARCH}.+.zip")" > checkov.zip; \ - else curl -L "$(curl -s ${CHECKOV_RELEASES} | grep -o -E "https://.+?/v${CHECKOV_VERSION}/checkov_${TARGETOS}_${ARCH}_${CHECKOV_VERSION}.zip")" > checkov.zip; \ - fi; \ - ) && unzip checkov.zip && mv dist/checkov checkov && rm -rf checkov.zip dist/ \ - ; fi; \ + apk del gcc libffi-dev musl-dev \ ) \ ; fi - -# Checkov -# RUN . /.env && \ -# if [ "$CHECKOV_VERSION" != "false" ]; then \ -# if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="X86_64"; fi; \ -# ( \ -# CHECKOV_RELEASES="https://api.github.com/repos/bridgecrewio/checkov/releases" && \ -# if [ "$CHECKOV_VERSION" = "latest" ]; \ -# then curl -L "$(curl -s ${CHECKOV_RELEASES}/latest | grep -o -E -m 1 "https://.+?checkov_${TARGETOS}_${ARCH}.+.zip")" > checkov.zip; \ -# else curl -L "$(curl -s ${CHECKOV_RELEASES} | grep -o -E "https://.+?/v${CHECKOV_VERSION}/checkov_${TARGETOS}_${ARCH}_${CHECKOV_VERSION}.zip")" > checkov.zip; \ -# fi; \ -# ) && unzip checkov.zip && mv dist/checkov checkov && rm -rf checkov.zip dist/ \ -# ; fi - - - # infracost RUN . /.env && \ if [ "$INFRACOST_VERSION" != "false" ]; then \ From 3481201359c0f7a24e8afdf4c660b106f17ab00f Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Fri, 8 Mar 2024 00:34:25 +0200 Subject: [PATCH 14/18] Revert "fix Checkov?" This reverts commit 8798d3b4a96003f6113f947d3863b40fba656090. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d47537516..5471a865c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,8 +70,8 @@ RUN . /.env && \ ( \ apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ if [ "$CHECKOV_VERSION" = "latest" ]; \ - then pip3 install --no-cache-dir checkov || exit 1; \ - else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || exit 1; \ + then pip3 install --no-cache-dir checkov; \ + else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ fi; \ apk del gcc libffi-dev musl-dev \ ) \ From 2f00dcf854c9fbe12a846ea8af831fc4e0612915 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Fri, 8 Mar 2024 00:41:25 +0200 Subject: [PATCH 15/18] fix silent fail --- Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1730b5798..7578489dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -72,8 +72,10 @@ RUN . /.env && \ # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 export CARGO_NET_GIT_FETCH_WITH_CLI=true && \ apk add --no-cache cargo=~1 gcc=~12 git=~2 libffi-dev=~3 libgcc=~12 musl-dev=~1 rust=~1 ; \ - [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ - || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ + if [ "$CHECKOV_VERSION" = "latest" ]; \ + then pip3 install --no-cache-dir checkov || exit 1; \ + else pip3 install --no-cache-dir checkov==${CHECKOV_VERSION} || exit 1; \ + fi; \ apk del cargo gcc git libffi-dev musl-dev rust \ ) \ ; fi From 5e98ae3254e43885259ce2afb5d55480294e9d75 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Fri, 8 Mar 2024 00:42:50 +0200 Subject: [PATCH 16/18] test --- .github/workflows/build-image-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 9dfbda3c6..752a33142 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -1,6 +1,6 @@ name: "Build Dockerfile if changed and run smoke tests" -on: [pull_request] +on: push env: IMAGE_TAG: pr-test From 1ca976a300abda7747be8693812d1aa68d8f02d8 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Fri, 8 Mar 2024 02:27:49 +0200 Subject: [PATCH 17/18] Apply suggestions from code review --- .github/workflows/build-image-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 752a33142..9dfbda3c6 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -1,6 +1,6 @@ name: "Build Dockerfile if changed and run smoke tests" -on: push +on: [pull_request] env: IMAGE_TAG: pr-test From 01d086847237901fbb37a41d45bb206850cb9331 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Fri, 8 Mar 2024 02:28:51 +0200 Subject: [PATCH 18/18] Apply suggestions from code review --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 7578489dc..242a45405 100644 --- a/Dockerfile +++ b/Dockerfile @@ -69,6 +69,7 @@ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ # cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of rustworkx@0.13.2, no longer required once checkov version depends on rustworkx >0.14.0 + # https://github.com/bridgecrewio/checkov/pull/6045 # gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64 export CARGO_NET_GIT_FETCH_WITH_CLI=true && \ apk add --no-cache cargo=~1 gcc=~12 git=~2 libffi-dev=~3 libgcc=~12 musl-dev=~1 rust=~1 ; \