added checkov action, skip statements (#270)

* added checkov action, skip statements * Updated checkov run directory * moved checkov skip statements * Move checkov skip statements for remaining dockerfiles Co-authored-by: Siva Mullapudi <sivamu@microsoft.com>
retaildevcrews · Jul 21, 2022 · a924056 · a924056
1 parent 409c012
commit a924056
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 2 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -4,6 +4,9 @@ FROM ghcr.io/cse-labs/k3d:latest
 
 # some images require specific values
 ARG USERNAME=vscode
+#checkov:skip=CKV_DOCKER_2: No healthcheck is needed 
+#checkov:skip=CKV_DOCKER_3: No user is needed 
+#checkov:skip=CKV_DOCKER_7: Alright to use "latest" tag
 
 # [Optional] Uncomment this section to install additional OS packages.
 # alternatively, you can add commands to on-create.sh and/or post-create.sh
@@ -12,5 +15,5 @@ ARG USERNAME=vscode
 # RUN apt-get -y install --no-install-recommends <your-package-list-here>
 
 # upgrade packages
-# you can improve startup time by runing in post-create.sh
+# you can improve startup time by running in post-create.sh
 # RUN apt upgrade -
diff --git a/.devcontainer/cosmos-emulator/Dockerfile b/.devcontainer/cosmos-emulator/Dockerfile
@@ -1,4 +1,8 @@
 FROM mcr.microsoft.com/cosmosdb/linux/azure-cosmos-emulator as base-cosmos
+#checkov:skip=CKV_DOCKER_2: No healthcheck is needed 
+#checkov:skip=CKV_DOCKER_3: No user is needed 
+#checkov:skip=CKV_DOCKER_7: Alright to use "latest" tag
+#checkov:skip=CKV_DOCKER_9: APT runs with -y option
 
 WORKDIR /usr/local/bin/cosmos/
 

diff --git a/.github/workflows/checkov-docker.yml b/.github/workflows/checkov-docker.yml
@@ -0,0 +1,20 @@
+name: Checkov Docker Vulnerability Scan
+
+on: 
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2      
+      - name: Run Checkov on Dockerfiles
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: .
+          framework: dockerfile
+          quiet: true
+          output_format: github_failed_only
+          soft_fail: false
diff --git a/src/LodeRunner.API/Dockerfile b/src/LodeRunner.API/Dockerfile
@@ -1,6 +1,8 @@
 ### Build and Test the App
 FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
 
+#checkov:skip=CKV_DOCKER_2: No healthcheck is needed
+
 ### copy the source and tests
 COPY ./LodeRunner.sln /src/
 COPY ./LodeRunner /src/LodeRunner
@@ -39,4 +41,4 @@ USER ngsa
 ### copy the app
 COPY --from=build /app .
 
-ENTRYPOINT [ "dotnet",  "LodeRunner.API.dll" ]
+ENTRYPOINT [ "dotnet",  "LodeRunner.API.dll" ]
diff --git a/src/LodeRunner.UI/Dockerfile b/src/LodeRunner.UI/Dockerfile
@@ -1,5 +1,9 @@
 ### build prod app
 FROM mcr.microsoft.com/vscode/devcontainers/javascript-node:14 AS build
+
+#checkov:skip=CKV_DOCKER_2: No healthcheck is needed
+#checkov:skip=CKV_DOCKER_3: No user is needed
+
 ENV NODE_ENV production
 WORKDIR /app
 

diff --git a/src/LodeRunner/Dockerfile b/src/LodeRunner/Dockerfile
@@ -1,6 +1,8 @@
 ### build the app
 FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
 
+#checkov:skip=CKV_DOCKER_2: No healthcheck is needed
+
 # Copy the source
 COPY ./LodeRunner.sln /src/
 COPY ./LodeRunner /src/LodeRunner