Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docker release to the full release process #963

Merged
merged 33 commits into from
Apr 15, 2024

Merge branch 'refs/heads/main' into config/docker-release

2335ddc
Select commit
Loading
Failed to load commit list.
Merged

Add docker release to the full release process #963

Merge branch 'refs/heads/main' into config/docker-release
2335ddc
Select commit
Loading
Failed to load commit list.
Wiz Inc. (266a8a9c32) / Wiz IaC Scanner completed Apr 12, 2024 in 3s

Wiz IaC Scanner

G'Day, Captain of Configuration! ⚙️

The ink of insight unveiled tales of uncharted territories within this PR. 🖋️🗺️

Revealing IaC misconfigurations with Wiz 🪄

🔮 IaC Misconfigurations Detected: 5

0C 2H 2M 0L 1I

― Note from Wiz: "Your coding journey is a magical saga, unfolding with every commit! 📖🔮"

Annotations

Check failure on line 29 in docker/Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

Missing User Instruction

Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-snowflake}}

A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction

Check failure on line 38 in docker/dev.Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

Missing User Instruction

Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-snowflake-dev}}

A user should be specified in the dockerfile, otherwise the image will run as root
Raw output
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction

Check warning on line 38 in docker/Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

Unpinned Package Version in Pip Install

Rule ID: 1f0d05d7-8caf-4f04-bc60-332d472de5a9
Severity: Medium
Resource: FROM={{base as dbt-snowflake}}.{{RUN python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/${dbt_snowflake_ref}"}}

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Raw output
Expected: RUN instruction with 'pip/pip3 install <package>' should use package pinning form 'pip/pip3 install <package>=<version>'
Found: RUN instruction python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/dbt-snowflake@main" does not use package pinning form

Check warning on line 5 in docker/Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

Using Platform Flag with FROM Command

Rule ID: c5e5995a-7d8e-4fbb-8dce-880a79438927
Severity: Medium
Resource: FROM={{--platform=$build_for python:$py_version-slim-bullseye as base}}.{{FROM --platform=$build_for python:$py_version-slim-bullseye as base}}

Don't use '--platform' flag with FROM
Raw output
Expected: FROM={{--platform=$build_for python:$py_version-slim-bullseye as base}}.{{FROM --platform=$build_for python:$py_version-slim-bullseye as base}} shouldn't use the flag '--platform'
Found: FROM={{--platform=$build_for python:$py_version-slim-bullseye as base}}.{{FROM --platform=$build_for python:$py_version-slim-bullseye as base}} uses the flag '--platform'

Check notice on line 8 in docker/dev.Dockerfile

See this annotation in the file changed.

@wiz-inc-266a8a9c32 wiz-inc-266a8a9c32 / Wiz IaC Scanner

APT-GET Not Avoiding Additional Packages

Rule ID: 0cbafd91-7f35-4000-b40a-bebedb7bb5f8
Severity: None
Resource: FROM={{ubuntu:22.04 as base}}.{{RUN apt-get update   && apt-get install -y software-properties-common=0.99.22.9   && add-apt-repository -y ppa:deadsnakes/ppa   && apt-get clean   && rm -rf     /var/lib/apt/lists/*     /tmp/*     /var/tmp/*}}

Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.
Raw output
Expected: 'RUN apt-get update   && apt-get install -y software-properties-common=0.99.22.9   && add-apt-repository -y ppa:deadsnakes/ppa   && apt-get clean   && rm -rf     /var/lib/apt/lists/*     /tmp/*     /var/tmp/*' uses '--no-install-recommends' flag to avoid installing additional packages
Found: 'RUN apt-get update   && apt-get install -y software-properties-common=0.99.22.9   && add-apt-repository -y ppa:deadsnakes/ppa   && apt-get clean   && rm -rf     /var/lib/apt/lists/*     /tmp/*     /var/tmp/*' does not use '--no-install-recommends' flag to avoid installing additional packages