Skip to content

Commit

Permalink
merged commands to improve amount of layers as recommended by Wiz IaC…
Browse files Browse the repository at this point in the history 
… Scanner on PR review

Signed-off-by: Alfredo Gutierrez <[email protected]>
  • Loading branch information
@AlfredoG87
AlfredoG87 committed Apr 1, 2024
1 parent a3b0773 commit 3fb03f4
Showing 1 changed file with 15 additions and 29 deletions.
44 changes: 15 additions & 29 deletions auth-layer-proxy/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,15 @@
FROM envoyproxy/envoy:v1.28-latest

# Copy the Filter Scripts
COPY /filters/ /etc/envoy/filters/
# Copy the Configs templates
COPY /configs/ /etc/envoy/configs/
# Copy the start script
COPY /scripts/start-envoy.sh /etc/envoy/start-envoy.sh

# Make the script executable
RUN chmod +x /etc/envoy/start-envoy.sh
# give ownership to envoy user
RUN chown -R envoy:envoy /etc/envoy

# install gettext for envsubst
RUN apt-get update
RUN apt-get install -y gettext-base

# Install Lua and Luarocks
RUN apt-get update && apt-get install -y lua5.1 luarocks git

# clean up temp data
RUN rm -rf /var/lib/apt/lists/*

# Install Lua modules
RUN luarocks install lua-cjson

# Install http socket module
RUN luarocks install luasocket
FROM envoyproxy/envoy:v1.28-latest

Check failure on line 1 in auth-layer-proxy/Dockerfile

View check run for this annotation

Wiz Inc. (8f76296f7c) / Wiz IaC Scanner

Missing User Instruction 

Rule ID: 9b87d2f6-a547-474c-bd17-1982b80b540c
Severity: High
Resource: FROM={{envoyproxy/envoy:v1.28-latest}}

A user should be specified in the dockerfile, otherwise the image will run as root
Raw output 
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction

Check notice on line 1 in auth-layer-proxy/Dockerfile

View check run for this annotation

Wiz Inc. (8f76296f7c) / Wiz IaC Scanner

Healthcheck Instruction Missing 

Rule ID: 52ab40ee-72d1-4fcf-b295-20834d179270
Severity: Low
Resource: FROM={{envoyproxy/envoy:v1.28-latest}}

Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Raw output 
Expected: Dockerfile should contain instruction 'HEALTHCHECK'
Found: Dockerfile doesn't contain instruction 'HEALTHCHECK'

# Copy all necessary files
COPY /filters/ /etc/envoy/filters/
COPY /configs/ /etc/envoy/configs/
COPY /scripts/start-envoy.sh /etc/envoy/start-envoy.sh

# Make the start script executable, change ownership, install dependencies, and clean up in a single RUN to reduce layers
RUN chmod +x /etc/envoy/start-envoy.sh && \

Check warning on line 9 in auth-layer-proxy/Dockerfile

View check run for this annotation

Wiz Inc. (8f76296f7c) / Wiz IaC Scanner

Apt Get Install Pin Version Not Defined 

Rule ID: 0518662c-4712-415e-b472-81149607b767
Severity: Medium
Resource: FROM={{envoyproxy/envoy:v1.28-latest}}.RUN={{chmod +x /etc/envoy/start-envoy.sh &&     chown -R envoy:envoy /etc/envoy &&     apt-get update &&     apt-get install -y gettext-base lua5.1 luarocks git &&     luarocks install lua-cjson &&     luarocks install luasocket &&     rm -rf /var/lib/apt/lists/*}}

When installing a package, its pin version should be defined
Raw output 
Expected: Package 'gettext-base' has version defined
Found: Package 'gettext-base' does not have version defined

Check warning on line 9 in auth-layer-proxy/Dockerfile

View check run for this annotation

Wiz Inc. (8f76296f7c) / Wiz IaC Scanner

Apt Get Install Pin Version Not Defined 

Rule ID: 0518662c-4712-415e-b472-81149607b767
Severity: Medium
Resource: FROM={{envoyproxy/envoy:v1.28-latest}}.RUN={{chmod +x /etc/envoy/start-envoy.sh &&     chown -R envoy:envoy /etc/envoy &&     apt-get update &&     apt-get install -y gettext-base lua5.1 luarocks git &&     luarocks install lua-cjson &&     luarocks install luasocket &&     rm -rf /var/lib/apt/lists/*}}

When installing a package, its pin version should be defined
Raw output 
Expected: Package 'git' has version defined
Found: Package 'git' does not have version defined

Check warning on line 9 in auth-layer-proxy/Dockerfile

View check run for this annotation

Wiz Inc. (8f76296f7c) / Wiz IaC Scanner

Apt Get Install Pin Version Not Defined 

Rule ID: 0518662c-4712-415e-b472-81149607b767
Severity: Medium
Resource: FROM={{envoyproxy/envoy:v1.28-latest}}.RUN={{chmod +x /etc/envoy/start-envoy.sh &&     chown -R envoy:envoy /etc/envoy &&     apt-get update &&     apt-get install -y gettext-base lua5.1 luarocks git &&     luarocks install lua-cjson &&     luarocks install luasocket &&     rm -rf /var/lib/apt/lists/*}}

When installing a package, its pin version should be defined
Raw output 
Expected: Package 'lua5.1' has version defined
Found: Package 'lua5.1' does not have version defined

Check warning on line 9 in auth-layer-proxy/Dockerfile

View check run for this annotation

Wiz Inc. (8f76296f7c) / Wiz IaC Scanner

Apt Get Install Pin Version Not Defined 

Rule ID: 0518662c-4712-415e-b472-81149607b767
Severity: Medium
Resource: FROM={{envoyproxy/envoy:v1.28-latest}}.RUN={{chmod +x /etc/envoy/start-envoy.sh &&     chown -R envoy:envoy /etc/envoy &&     apt-get update &&     apt-get install -y gettext-base lua5.1 luarocks git &&     luarocks install lua-cjson &&     luarocks install luasocket &&     rm -rf /var/lib/apt/lists/*}}

When installing a package, its pin version should be defined
Raw output 
Expected: Package 'luarocks' has version defined
Found: Package 'luarocks' does not have version defined

Check notice on line 9 in auth-layer-proxy/Dockerfile

View check run for this annotation

Wiz Inc. (8f76296f7c) / Wiz IaC Scanner

APT-GET Not Avoiding Additional Packages 

Rule ID: 15862929-8b16-4974-b8dc-04bb9db86686
Severity: None
Resource: FROM={{envoyproxy/envoy:v1.28-latest}}.{{RUN chmod +x /etc/envoy/start-envoy.sh &&     chown -R envoy:envoy /etc/envoy &&     apt-get update &&     apt-get install -y gettext-base lua5.1 luarocks git &&     luarocks install lua-cjson &&     luarocks install luasocket &&     rm -rf /var/lib/apt/lists/*}}

Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.
Raw output 
Expected: 'RUN chmod +x /etc/envoy/start-envoy.sh &&     chown -R envoy:envoy /etc/envoy &&     apt-get update &&     apt-get install -y gettext-base lua5.1 luarocks git &&     luarocks install lua-cjson &&     luarocks install luasocket &&     rm -rf /var/lib/apt/lists/*' uses '--no-install-recommends' flag to avoid installing additional packages
Found: 'RUN chmod +x /etc/envoy/start-envoy.sh &&     chown -R envoy:envoy /etc/envoy &&     apt-get update &&     apt-get install -y gettext-base lua5.1 luarocks git &&     luarocks install lua-cjson &&     luarocks install luasocket &&     rm -rf /var/lib/apt/lists/*' does not use '--no-install-recommends' flag to avoid installing additional packages
chown -R envoy:envoy /etc/envoy && \
apt-get update && \
apt-get install -y gettext-base lua5.1 luarocks git && \
luarocks install lua-cjson && \
luarocks install luasocket && \
rm -rf /var/lib/apt/lists/*

0 comments on commit 3fb03f4

Please sign in to comment.