This image builds and packages Aquasecurity Trivy . It is presented here to
demonstrate how to securely build and package a typical Go application in a
zero CVE vulnerability Docker image pipeline.
- Ensuring a completely static build without depending on
CGOruntime - Compressing the binary
- Using
scratchas the final layer of the image for minimal size and maximal security
λ snyk container test --file="Dockerfile" "trivy:latest"
Testing trivy:latest...
Organization: REDACTED
Package manager: linux
Target file: Dockerfile
Project name: docker-image|trivy
Docker image: trivy:latest
Platform: linux/amd64
Base image: scratch
Licenses: enabled
✔ Tested trivy:latest for known issues, no vulnerable paths found.
Note that we do not currently have vulnerability data for your image.- Ensure Docker
buildxis installed
λ docker buildx version
github.com/docker/buildx 0.13.1 788433953af10f2a698f5c07611dddce2e08c7a0- Ensure Docker
sbomplugin is installed
λ docker sbom version
Application: docker-sbom ([not provided])
Provider: syft (v0.46.3)
GitCommit: [not provided]
GitDescription: [not provided]
Platform: linux/amd64- Build the image without pushing it to remote
bash build.sh ;Look into docker-bake.hcl file's variables for other configuration options;
use environment variables to set them before running build.sh script
You can find the associated SPDX SBOM here
- Scan for vulnerabilities with
snyk
snyk container test --file="Dockerfile" "trivy:latest"