Integrate Static Code Analysis Tools #24
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enhance build security by integrating static code analysis tools: Hadolint, ShellCheck, and Checkov. Scan using ShellCheck, Hadolint and Checkov are restricted to the 1.1.21.2 release folder.
Docker only evaluates the exit code of the last operation after the pipe in a RUN statement to determine success. Specifying 'pipefail' will cause the build to fail due to an error at any stage of a RUN command with pipes. Addresses Hadolint DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. Setting the -e option instructs bash to immediately exit if any command in a RUN statement has a non-zero exit status. Setting the -u option triggers an error if a variable is referenced that has not been previously defined. Setting runDeps using a list passed to 'apk info --installed' returns a non zero exit status if one of the packages listed is not installed. Added '|| true' to force an exit status of 0.
Check for open gearmand port. Healthcheck will fail if gearmand is not listening. Addresses Checkov issue: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
Skip Hadolint rule SC2086 (Double quote to prevent globbing and word splitting) because package list 'runDeps' is programmatically generated.
Adresses Hadolint issue - DL3047 info: Avoid use of wget without progress bar.
Ignoring Hadolint rule DL3019 (Use the --no-cache switch) as this appears to be a false positive. Dockerfile is making use of the '--no-cache' switch.
Skip Hadolint rule DL3018 (DL3018 warning: Pin versions in apk add) because Alpine does not keep older package versions which will cause builds to break when packages are updated. Skip Hadolint rule DL3003 (Use WORKDIR to switch to a directory) as breaking up the main 'RUN apk add' statement would create more layers in the build.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request enhances build security by integrating three static code analysis tools as Github actions: Hadolint, ShellCheck, and Checkov.
Scan using ShellCheck, Hadolint and Checkov are restricted to the 1.1.21.2 release folder.
This PR also addresses the items that these tools have identified.