From c53917d486d98c3cbe47c233f3dfcb537b4b2f82 Mon Sep 17 00:00:00 2001 From: Dmitriy Safronov Date: Mon, 19 Feb 2024 23:19:42 +0400 Subject: [PATCH 1/3] test Signed-off-by: Dmitriy Safronov --- Dockerfile | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index eebef9d..2f34f35 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,33 +2,25 @@ ARG DOCKER_REGISTRY=registry.cyberbrain.pw FROM anchore/grype:latest AS base FROM $DOCKER_REGISTRY/tools/docker/alpine:latest AS common - -FROM common AS executor SHELL ["/bin/ash", "-euo", "pipefail", "-c"] ENV GRYPE_CHECK_FOR_APP_UPDATE="false" \ GRYPE_DB_CACHE_DIR="/tmp/db" \ GRYPE_DB_AUTO_UPDATE="false" COPY --from=base /grype /bin/grype +RUN chmod a+x /bin/grype && \ + mkdir -p ${GRYPE_DB_CACHE_DIR} && \ + chmod -R 0777 ${GRYPE_DB_CACHE_DIR} + +FROM common AS executor ARG CACHEBUST=static RUN set -ex && \ - chmod a+x /bin/grype && \ - mkdir -p ${GRYPE_DB_CACHE_DIR} && \ - chmod -R 0777 ${GRYPE_DB_CACHE_DIR} && \ echo ${CACHEBUST} && \ if test -n "$(/bin/grype db update -v | grep 'unable to check for vulnerability database update')"; then echo "Update failed!"; exit 1; else true; fi FROM common AS runtime -ENV GRYPE_CHECK_FOR_APP_UPDATE="false" \ - GRYPE_DB_CACHE_DIR="/srv/grype/db" \ - GRYPE_DB_AUTO_UPDATE="false" -COPY --from=base /grype /bin/ -RUN set -ex && \ - chmod a+x /bin/grype && \ - mkdir -p ${GRYPE_DB_CACHE_DIR} && \ - chmod -R 0777 ${GRYPE_DB_CACHE_DIR} -COPY --from=executor /tmp/db ${GRYPE_DB_CACHE_DIR} -RUN set -ex && \ - chmod -R 0555 ${GRYPE_DB_CACHE_DIR} +COPY --from=executor ${GRYPE_DB_CACHE_DIR}/ ${GRYPE_DB_CACHE_DIR}/ LABEL org.label-schema.description="A vulnerability scanner for container images and filesystems (standalone)" ENTRYPOINT [ "/bin/grype" ] CMD [ "--help" ] + +FROM runtime AS release -- GitLab From 5c1350583f5646b8a41817287209fd3a373a7036 Mon Sep 17 00:00:00 2001 From: Dmitriy Safronov Date: Tue, 20 Feb 2024 00:01:55 +0400 Subject: [PATCH 2/3] alpine -> grype Signed-off-by: Dmitriy Safronov --- Dockerfile | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2f34f35..0ad4ce8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,26 +1,26 @@ ARG DOCKER_REGISTRY=registry.cyberbrain.pw -FROM anchore/grype:latest AS base -FROM $DOCKER_REGISTRY/tools/docker/alpine:latest AS common +FROM anchore/grype:latest AS grype +FROM $DOCKER_REGISTRY/tools/docker/alpine:latest AS loader SHELL ["/bin/ash", "-euo", "pipefail", "-c"] ENV GRYPE_CHECK_FOR_APP_UPDATE="false" \ GRYPE_DB_CACHE_DIR="/tmp/db" \ GRYPE_DB_AUTO_UPDATE="false" -COPY --from=base /grype /bin/grype +COPY --from=grype /grype /bin/grype RUN chmod a+x /bin/grype && \ mkdir -p ${GRYPE_DB_CACHE_DIR} && \ chmod -R 0777 ${GRYPE_DB_CACHE_DIR} - -FROM common AS executor ARG CACHEBUST=static -RUN set -ex && \ - echo ${CACHEBUST} && \ - if test -n "$(/bin/grype db update -v | grep 'unable to check for vulnerability database update')"; then echo "Update failed!"; exit 1; else true; fi +RUN set -ex; \ + echo ${CACHEBUST}; \ + grype db update -v || ( echo "Update failed!"; exit 1 ) -FROM common AS runtime -COPY --from=executor ${GRYPE_DB_CACHE_DIR}/ ${GRYPE_DB_CACHE_DIR}/ +FROM grype AS runtime +ENV GRYPE_CHECK_FOR_APP_UPDATE="false" \ + GRYPE_DB_CACHE_DIR="/tmp/db" \ + GRYPE_DB_AUTO_UPDATE="false" +COPY --from=loader ${GRYPE_DB_CACHE_DIR}/ ${GRYPE_DB_CACHE_DIR}/ LABEL org.label-schema.description="A vulnerability scanner for container images and filesystems (standalone)" -ENTRYPOINT [ "/bin/grype" ] CMD [ "--help" ] FROM runtime AS release -- GitLab From 5a01cea52c7d378244f5b22c0490cc55dcb90045 Mon Sep 17 00:00:00 2001 From: Dmitriy Safronov Date: Tue, 20 Feb 2024 00:09:12 +0400 Subject: [PATCH 3/3] cachebust Signed-off-by: Dmitriy Safronov --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0ad4ce8..66627c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,9 +11,8 @@ RUN chmod a+x /bin/grype && \ mkdir -p ${GRYPE_DB_CACHE_DIR} && \ chmod -R 0777 ${GRYPE_DB_CACHE_DIR} ARG CACHEBUST=static -RUN set -ex; \ - echo ${CACHEBUST}; \ - grype db update -v || ( echo "Update failed!"; exit 1 ) +RUN set -e; \ + TMP="${CACHEBUST}" grype db update -v || ( echo "Update failed!"; exit 1 ) FROM grype AS runtime ENV GRYPE_CHECK_FOR_APP_UPDATE="false" \ -- GitLab