-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,4 @@ | ||
| ARG UBI_MINIMAL_VERSION="latest" | ||
|
Check notice Code scanning / Trivy No HEALTHCHECK defined Low
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS026 Severity: LOW Message: Add HEALTHCHECK instruction in your Dockerfile Link: DS026 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: (?i)(?:_|^)(?:apikey|auth|credential|credentials|key|passwd|password|psw|pword|secret|token|usr)(?:_|$) Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: apikey Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: auth Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: credential Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: credentials Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: key Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: passwd Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: password Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: psw Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: pword Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: secret Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: token Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: usr Link: DS031 |
||
| ARG GO_FIPS_IMAGE_TAG=latest | ||
| ARG GO_FIPS_IMAGE_REPO=go-fips | ||
| ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG | ||
|
|
@@ -7,7 +8,6 @@ FROM ${GO_FIPS_BASE_IMAGE} AS builder | |
| # Set environment variables for FIPS compliance | ||
| ENV OPENSSL_FIPS=1 | ||
| ENV FIPS_MODE=true | ||
|
|
||
| # Set up Go environment | ||
| ENV CGO_ENABLED=1 | ||
| ENV CC=gcc | ||
|
|
@@ -27,27 +27,22 @@ COPY /cmd/agent cmd/agent | |
| COPY /pkg pkg/ | ||
| COPY /api api/ | ||
| COPY /internal internal/ | ||
|
|
||
| RUN go install github.com/acardace/fips-detect@latest | ||
|
|
||
| # Build | ||
| RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-agent cmd/agent/*.go | ||
|
|
||
|
|
||
| FROM registry.access.redhat.com/ubi8/ubi | ||
| # This the minimal UBI FIPS compliance image | ||
| FROM registry.access.redhat.com/ubi8/ubi-minimal:$UBI_MINIMAL_VERSION | ||
| WORKDIR /workspace | ||
|
|
||
| # Set environment variables for FIPS | ||
| # Set environment variables for FIPS compliance in the runtime | ||
| ENV OPENSSL_FIPS=1 | ||
| ENV FIPS_MODE=true | ||
|
|
||
| # Install required packages, including openssl and fips-initramfs | ||
| RUN yum install -y openssl podman && \ | ||
| yum clean all | ||
| RUN microdnf install -y openssl && \ | ||
| microdnf clean all | ||
|
|
||
| # Enable FIPS mode | ||
| RUN fips-mode-setup --enable | ||
| RUN mkdir /.kube && chown 65532:65532 /.kube | ||
|
|
||
| COPY --from=builder /workspace/deployment-agent . | ||
| USER 65532:65532 | ||
|
|
||
| ENTRYPOINT ["/workspace/deployment-agent"] | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,16 @@ | ||
| # Use Red Hat UBI8 base image | ||
| FROM registry.access.redhat.com/ubi8/ubi AS go | ||
| # This Dockerfile builds Go FIPS with OpenSSL | ||
|
Check failure Code scanning / Trivy Image user should not be 'root' High
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS002 Severity: HIGH Message: Specify at least 1 USER command in Dockerfile with non-root user as argument Link: DS002 Check notice Code scanning / Trivy No HEALTHCHECK defined Low
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS026 Severity: LOW Message: Add HEALTHCHECK instruction in your Dockerfile Link: DS026 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: (?i)(?:_|^)(?:apikey|auth|credential|credentials|key|passwd|password|psw|pword|secret|token|usr)(?:_|$) Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: apikey Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: auth Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: credential Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: credentials Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: key Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: passwd Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: password Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: psw Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: pword Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: secret Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: token Link: DS031 Check failure Code scanning / Trivy Secrets passed via `build-args` or envs or copied secret files Critical
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS031 Severity: CRITICAL Message: usr Link: DS031 |
||
|
|
||
| ARG UBI_MINIMAL_VERSION="latest" | ||
| FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} AS go | ||
| ARG GO_VERSION=1.23.2 | ||
| ARG TARGETARCH | ||
| ARG PLATFORM_ARCH=amd64 | ||
|
|
||
| WORKDIR /workspace | ||
|
|
||
| # Install FIPS-compliant OpenSSL | ||
| RUN yum install -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all | ||
| RUN microdnf --nodocs install yum && yum --nodocs -q update -y | ||
|
Check failure Code scanning / Trivy 'RUN <package-manager> update' instruction alone High
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS017 Severity: HIGH Message: The instruction 'RUN update' should always be followed by ' install' in the same RUN statement. Link: DS017 |
||
| RUN yum install --nodocs -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all | ||
|
|
||
| # Set environment variables for FIPS compliance | ||
| ENV OPENSSL_FIPS=1 | ||
|
|
@@ -29,8 +32,8 @@ RUN git clone \ | |
|
|
||
| RUN cd /tmp/go && \ | ||
| chmod +x scripts/* && \ | ||
| git config --global user.email "[email protected]" && \ | ||
| git config --global user.name "Your Name" && \ | ||
| git config --global user.email "[email protected]" && \ | ||
| git config --global user.name "plural" && \ | ||
| scripts/full-initialize-repo.sh && \ | ||
| pushd go/src && \ | ||
| CGO_ENABLED=1 ./make.bash && \ | ||
|
|
@@ -47,9 +50,10 @@ RUN cd /usr/local/go/src && \ | |
| /usr/local/go/src/cmd/dist/dist \ | ||
| /usr/local/go/.git* | ||
|
Check warning Code scanning / Trivy 'RUN cd ...' to change directory Medium
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS013 Severity: MEDIUM Message: RUN should not be used to change directory: 'cd /usr/local/go/src && rm -rf /usr/local/go/pkg/*/cmd /usr/local/go/pkg/bootstrap /usr/local/go/pkg/obj /usr/local/go/pkg/tool/*/api /usr/local/go/pkg/tool/*/go_bootstrap /usr/local/go/src/cmd/dist/dist /usr/local/go/.git*'. Use 'WORKDIR' statement instead. Link: DS013 |
||
|
|
||
| FROM registry.access.redhat.com/ubi8/ubi | ||
| FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} | ||
|
|
||
| RUN yum install -y openssl-devel glibc-devel tar gzip gcc make && yum clean all | ||
| RUN microdnf --nodocs install yum && yum --nodocs -q update -y | ||
|
Check failure Code scanning / Trivy 'RUN <package-manager> update' instruction alone High
Artifact: dockerfiles/fips/go.Dockerfile
Type: dockerfile Vulnerability DS017 Severity: HIGH Message: The instruction 'RUN update' should always be followed by ' install' in the same RUN statement. Link: DS017 |
||
| RUN yum install --nodocs -y openssl-devel glibc-devel tar gzip gcc make && yum clean all | ||
|
|
||
| COPY --from=go /usr/local/go /usr/local/go | ||
| ENV OPENSSL_FIPS=1 | ||
|
|
||