diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index a9050838..b8a7acdc 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -4,6 +4,9 @@ FROM ghcr.io/cse-labs/k3d:latest # some images require specific values ARG USERNAME=vscode +#checkov:skip=CKV_DOCKER_2: No healthcheck is needed +#checkov:skip=CKV_DOCKER_3: No user is needed +#checkov:skip=CKV_DOCKER_7: Alright to use "latest" tag # [Optional] Uncomment this section to install additional OS packages. # alternatively, you can add commands to on-create.sh and/or post-create.sh @@ -12,5 +15,5 @@ ARG USERNAME=vscode # RUN apt-get -y install --no-install-recommends # upgrade packages -# you can improve startup time by runing in post-create.sh +# you can improve startup time by running in post-create.sh # RUN apt upgrade - diff --git a/.devcontainer/cosmos-emulator/Dockerfile b/.devcontainer/cosmos-emulator/Dockerfile index dbf2fefa..a91604c2 100644 --- a/.devcontainer/cosmos-emulator/Dockerfile +++ b/.devcontainer/cosmos-emulator/Dockerfile @@ -1,4 +1,8 @@ FROM mcr.microsoft.com/cosmosdb/linux/azure-cosmos-emulator as base-cosmos +#checkov:skip=CKV_DOCKER_2: No healthcheck is needed +#checkov:skip=CKV_DOCKER_3: No user is needed +#checkov:skip=CKV_DOCKER_7: Alright to use "latest" tag +#checkov:skip=CKV_DOCKER_9: APT runs with -y option WORKDIR /usr/local/bin/cosmos/ diff --git a/.github/workflows/checkov-docker.yml b/.github/workflows/checkov-docker.yml new file mode 100644 index 00000000..01a80a24 --- /dev/null +++ b/.github/workflows/checkov-docker.yml @@ -0,0 +1,20 @@ +name: Checkov Docker Vulnerability Scan + +on: + pull_request: + branches: [ main ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Checkov on Dockerfiles + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: . + framework: dockerfile + quiet: true + output_format: github_failed_only + soft_fail: false diff --git a/src/LodeRunner.API/Dockerfile b/src/LodeRunner.API/Dockerfile index e7bf7525..a00c6b4e 100644 --- a/src/LodeRunner.API/Dockerfile +++ b/src/LodeRunner.API/Dockerfile @@ -1,6 +1,8 @@ ### Build and Test the App FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build +#checkov:skip=CKV_DOCKER_2: No healthcheck is needed + ### copy the source and tests COPY ./LodeRunner.sln /src/ COPY ./LodeRunner /src/LodeRunner @@ -39,4 +41,4 @@ USER ngsa ### copy the app COPY --from=build /app . -ENTRYPOINT [ "dotnet", "LodeRunner.API.dll" ] \ No newline at end of file +ENTRYPOINT [ "dotnet", "LodeRunner.API.dll" ] diff --git a/src/LodeRunner.UI/Dockerfile b/src/LodeRunner.UI/Dockerfile index 5517b901..581f74d9 100644 --- a/src/LodeRunner.UI/Dockerfile +++ b/src/LodeRunner.UI/Dockerfile @@ -1,5 +1,9 @@ ### build prod app FROM mcr.microsoft.com/vscode/devcontainers/javascript-node:14 AS build + +#checkov:skip=CKV_DOCKER_2: No healthcheck is needed +#checkov:skip=CKV_DOCKER_3: No user is needed + ENV NODE_ENV production WORKDIR /app diff --git a/src/LodeRunner/Dockerfile b/src/LodeRunner/Dockerfile index 2225a743..4448028f 100644 --- a/src/LodeRunner/Dockerfile +++ b/src/LodeRunner/Dockerfile @@ -1,6 +1,8 @@ ### build the app FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build +#checkov:skip=CKV_DOCKER_2: No healthcheck is needed + # Copy the source COPY ./LodeRunner.sln /src/ COPY ./LodeRunner /src/LodeRunner