From 97ffe2a51843b45f6ac998696ccef3c5d83d22da Mon Sep 17 00:00:00 2001 From: Denis Makogon Date: Wed, 24 Apr 2019 22:52:19 +0300 Subject: [PATCH 1/6] [WIP] Anchore CI security checks --- .circleci/config.yml | 72 +++++++++++++++++++ build-images.sh | 9 +++ circle.yml | 42 ----------- images/1.12.4/alpine/build-stage/Dockerfile | 4 ++ images/{ => 1.12.4/alpine}/runtime/Dockerfile | 0 images/1.12.4/stretch/build-stage/Dockerfile | 5 ++ images/1.12.4/stretch/runtime/Dockerfile | 3 + images/build/Dockerfile | 3 - 8 files changed, 93 insertions(+), 45 deletions(-) create mode 100644 .circleci/config.yml create mode 100755 build-images.sh delete mode 100644 circle.yml create mode 100644 images/1.12.4/alpine/build-stage/Dockerfile rename images/{ => 1.12.4/alpine}/runtime/Dockerfile (100%) create mode 100644 images/1.12.4/stretch/build-stage/Dockerfile create mode 100644 images/1.12.4/stretch/runtime/Dockerfile delete mode 100644 images/build/Dockerfile diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..6675676 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,72 @@ +version: 2.1 +orbs: + anchore: anchore/anchore-engine@1.2.0 +jobs: + "fdk": + docker: + - image: circleci/golang:1.12.4 + working_directory: ~/fdk-go + steps: + - checkout + - setup_remote_docker: + docker_layer_caching: true + - run: docker version + - run: docker pull fnproject/fnserver + # installing Fn CLI and starting the Fn server + - run: + command: go test -v ./... + - run: + command: | + curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh +# - run: +# command: fn build +# working_directory: examples/hello +# - run: +# command: docker build -t fnproject/fdk-go-init . +# working_directory: images/init +# - run: +# command: docker build -t fnproject/fdk-go-build . +# working_directory: images/build +# - run: +# command: docker build -t fnproject/fdk-go-runtime . +# working_directory: images/runtime + - deploy: + command: | + if [[ "${CIRCLE_BRANCH}" == "master" && -z "${CIRCLE_PR_REPONAME}" ]]; then + func_version=$(awk '/^version:/ { print $2; }' func.yaml) + printenv DOCKER_PASS | docker login -u ${DOCKER_USER} --password-stdin + git config --global user.email "ci@fnproject.com" + git config --global user.name "CI" + git branch --set-upstream-to=origin/${CIRCLE_BRANCH} ${CIRCLE_BRANCH} +# docker tag "hello:${func_version}" "fnproject/fdk-go-hello:${func_version}" +# docker tag "hello:${func_version}" "fnproject/fdk-go-hello:latest" +# docker push "fnproject/fdk-go-hello:${func_version}" +# docker push "fnproject/fdk-go-hello:latest" + fi + #working_directory: examples/hello + + "go1.12.4_security_check": + executor: anchore/anchore_engine + working_directory: ~/fdk-go + steps: + - checkout + - run: + name: Golang 1.12.4 Stretch build + command: | + ./build-images.sh 1.12.4 stretch + - anchore/analyze_local_image: + image_name: fnproject/golang:1.12.4-stretch + timeout: '500' + policy_failure: true + policy_bundle_file_path: ~/fdk-go/.circleci/.anchore/policy_bundle.json + - anchore/parse_reports + +workflows: + version: 2 + build: + jobs: + - "fdk" + - "python36dev_security_check" + - "python36runtime_security_check" + - "python371dev_security_check" + - "python371runtime_security_check" diff --git a/build-images.sh b/build-images.sh new file mode 100755 index 0000000..f22d060 --- /dev/null +++ b/build-images.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -xe + +goversion=${1:-"1.12.4"} +ostype=${2:-"alpine"} + +pushd images/${goversion}/${ostype}/build-stage/ && docker build -t fnproject/golang:${goversion}-${ostype}-dev . && popd +pushd images/${goversion}/${ostype}/runtime/ && docker build -t fnproject/golang:${goversion}-${ostype} . && popd diff --git a/circle.yml b/circle.yml deleted file mode 100644 index c0bfbce..0000000 --- a/circle.yml +++ /dev/null @@ -1,42 +0,0 @@ -version: 2 -jobs: - build: - docker: - - image: circleci/golang:1.11.0 - working_directory: ~/fdk-go - steps: - - checkout - - setup_remote_docker: - docker_layer_caching: true - - run: docker version - - run: docker pull fnproject/fnserver - # installing Fn CLI and starting the Fn server - - run: - command: | - curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh - - run: - command: fn build - working_directory: examples/hello - - run: - command: docker build -t fnproject/fdk-go-init . - working_directory: images/init - - run: - command: docker build -t fnproject/fdk-go-build . - working_directory: images/build - - run: - command: docker build -t fnproject/fdk-go-runtime . - working_directory: images/runtime - - deploy: - command: | - if [[ "${CIRCLE_BRANCH}" == "master" && -z "${CIRCLE_PR_REPONAME}" ]]; then - func_version=$(awk '/^version:/ { print $2; }' func.yaml) - printenv DOCKER_PASS | docker login -u ${DOCKER_USER} --password-stdin - git config --global user.email "ci@fnproject.com" - git config --global user.name "CI" - git branch --set-upstream-to=origin/${CIRCLE_BRANCH} ${CIRCLE_BRANCH} - docker tag "hello:${func_version}" "fnproject/fdk-go-hello:${func_version}" - docker tag "hello:${func_version}" "fnproject/fdk-go-hello:latest" - docker push "fnproject/fdk-go-hello:${func_version}" - docker push "fnproject/fdk-go-hello:latest" - fi - working_directory: examples/hello diff --git a/images/1.12.4/alpine/build-stage/Dockerfile b/images/1.12.4/alpine/build-stage/Dockerfile new file mode 100644 index 0000000..b641550 --- /dev/null +++ b/images/1.12.4/alpine/build-stage/Dockerfile @@ -0,0 +1,4 @@ +FROM golang:1.12.4-alpine3.8 + +RUN apk update && apk upgrade && \ + apk add --no-cache wget curl git bzr mercurial build-base diff --git a/images/runtime/Dockerfile b/images/1.12.4/alpine/runtime/Dockerfile similarity index 100% rename from images/runtime/Dockerfile rename to images/1.12.4/alpine/runtime/Dockerfile diff --git a/images/1.12.4/stretch/build-stage/Dockerfile b/images/1.12.4/stretch/build-stage/Dockerfile new file mode 100644 index 0000000..0b35ef0 --- /dev/null +++ b/images/1.12.4/stretch/build-stage/Dockerfile @@ -0,0 +1,5 @@ +FROM golang:1.12.4-stretch + +RUN apt-get update && apt-get upgrade -qy && \ + apt-get install wget curl mercurial build-essential gcc -qy && \ + apt-get clean diff --git a/images/1.12.4/stretch/runtime/Dockerfile b/images/1.12.4/stretch/runtime/Dockerfile new file mode 100644 index 0000000..791438a --- /dev/null +++ b/images/1.12.4/stretch/runtime/Dockerfile @@ -0,0 +1,3 @@ +FROM debian:stretch-slim + +RUN apt-get update && apt-get upgrade -qy diff --git a/images/build/Dockerfile b/images/build/Dockerfile deleted file mode 100644 index 81fcc10..0000000 --- a/images/build/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM golang:1.11.0-alpine3.8 - -RUN apk add --no-cache wget curl git bzr mercurial build-base From de52cf0a242efe6a11cb8e4e559d1414dce61bfd Mon Sep 17 00:00:00 2001 From: Denis Makogon Date: Wed, 24 Apr 2019 22:57:19 +0300 Subject: [PATCH 2/6] fix ci config --- .circleci/config.yml | 32 +++++++------------------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 6675676..4600e6f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,6 +1,6 @@ version: 2.1 orbs: - anchore: anchore/anchore-engine@1.2.0 + anchore: anchore/anchore-engine@1.3.0 jobs: "fdk": docker: @@ -12,24 +12,11 @@ jobs: docker_layer_caching: true - run: docker version - run: docker pull fnproject/fnserver - # installing Fn CLI and starting the Fn server - run: command: go test -v ./... - run: command: | curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh -# - run: -# command: fn build -# working_directory: examples/hello -# - run: -# command: docker build -t fnproject/fdk-go-init . -# working_directory: images/init -# - run: -# command: docker build -t fnproject/fdk-go-build . -# working_directory: images/build -# - run: -# command: docker build -t fnproject/fdk-go-runtime . -# working_directory: images/runtime - deploy: command: | if [[ "${CIRCLE_BRANCH}" == "master" && -z "${CIRCLE_PR_REPONAME}" ]]; then @@ -38,27 +25,25 @@ jobs: git config --global user.email "ci@fnproject.com" git config --global user.name "CI" git branch --set-upstream-to=origin/${CIRCLE_BRANCH} ${CIRCLE_BRANCH} -# docker tag "hello:${func_version}" "fnproject/fdk-go-hello:${func_version}" -# docker tag "hello:${func_version}" "fnproject/fdk-go-hello:latest" -# docker push "fnproject/fdk-go-hello:${func_version}" -# docker push "fnproject/fdk-go-hello:latest" fi - #working_directory: examples/hello "go1.12.4_security_check": executor: anchore/anchore_engine working_directory: ~/fdk-go steps: + - setup_remote_docker: + docker_layer_caching: true - checkout - run: name: Golang 1.12.4 Stretch build command: | + apk add bash ./build-images.sh 1.12.4 stretch - anchore/analyze_local_image: - image_name: fnproject/golang:1.12.4-stretch + image_name: "fnproject/golang:1.12.4-stretch fnproject/golang:1.12.4-stretch-dev" timeout: '500' policy_failure: true - policy_bundle_file_path: ~/fdk-go/.circleci/.anchore/policy_bundle.json + policy_bundle_file_path: .circleci/.anchore/policy_bundle.json - anchore/parse_reports workflows: @@ -66,7 +51,4 @@ workflows: build: jobs: - "fdk" - - "python36dev_security_check" - - "python36runtime_security_check" - - "python371dev_security_check" - - "python371runtime_security_check" + - "go1.12.4_security_check" From c77f09f83f9cfef6e85ba2f969af110b42d2af57 Mon Sep 17 00:00:00 2001 From: Denis Makogon Date: Wed, 24 Apr 2019 22:59:08 +0300 Subject: [PATCH 3/6] fix ci config --- .circleci/config.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 4600e6f..9e2c819 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -10,17 +10,12 @@ jobs: - checkout - setup_remote_docker: docker_layer_caching: true - - run: docker version - run: docker pull fnproject/fnserver - run: command: go test -v ./... - - run: - command: | - curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh - deploy: command: | if [[ "${CIRCLE_BRANCH}" == "master" && -z "${CIRCLE_PR_REPONAME}" ]]; then - func_version=$(awk '/^version:/ { print $2; }' func.yaml) printenv DOCKER_PASS | docker login -u ${DOCKER_USER} --password-stdin git config --global user.email "ci@fnproject.com" git config --global user.name "CI" From 965aabb4a7bcc7abe641f6e484d526eb8c262c02 Mon Sep 17 00:00:00 2001 From: Denis Makogon Date: Wed, 24 Apr 2019 23:00:01 +0300 Subject: [PATCH 4/6] fix image job name --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9e2c819..dcbc0ff 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -22,7 +22,7 @@ jobs: git branch --set-upstream-to=origin/${CIRCLE_BRANCH} ${CIRCLE_BRANCH} fi - "go1.12.4_security_check": + "go1-12-4_security_check": executor: anchore/anchore_engine working_directory: ~/fdk-go steps: @@ -46,4 +46,4 @@ workflows: build: jobs: - "fdk" - - "go1.12.4_security_check" + - "go1-12-4_security_check" From 9e01a060f143e1a6e9f8fa83f42e6094b6095b38 Mon Sep 17 00:00:00 2001 From: Denis Makogon Date: Wed, 5 Jun 2019 20:49:15 +0300 Subject: [PATCH 5/6] updating builds --- .circleci/config.yml | 44 ++++++++++++++++--- build-images.sh | 6 +-- .../alpine/build-stage/Dockerfile | 2 +- .../{1.12.4 => 1}/alpine/runtime/Dockerfile | 0 .../stretch/build-stage/Dockerfile | 2 +- .../{1.12.4 => 1}/stretch/runtime/Dockerfile | 0 release_images.sh | 14 ++++++ 7 files changed, 56 insertions(+), 12 deletions(-) rename images/{1.12.4 => 1}/alpine/build-stage/Dockerfile (77%) rename images/{1.12.4 => 1}/alpine/runtime/Dockerfile (100%) rename images/{1.12.4 => 1}/stretch/build-stage/Dockerfile (83%) rename images/{1.12.4 => 1}/stretch/runtime/Dockerfile (100%) create mode 100755 release_images.sh diff --git a/.circleci/config.yml b/.circleci/config.yml index dcbc0ff..b80b8e6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: anchore: anchore/anchore-engine@1.3.0 jobs: - "fdk": + "test": docker: - image: circleci/golang:1.12.4 working_directory: ~/fdk-go @@ -22,7 +22,7 @@ jobs: git branch --set-upstream-to=origin/${CIRCLE_BRANCH} ${CIRCLE_BRANCH} fi - "go1-12-4_security_check": + "go1_stretch_security_check": executor: anchore/anchore_engine working_directory: ~/fdk-go steps: @@ -30,12 +30,31 @@ jobs: docker_layer_caching: true - checkout - run: - name: Golang 1.12.4 Stretch build + name: Golang 1 Stretch build command: | apk add bash - ./build-images.sh 1.12.4 stretch + ./build-images.sh 1 stretch - anchore/analyze_local_image: - image_name: "fnproject/golang:1.12.4-stretch fnproject/golang:1.12.4-stretch-dev" + image_name: "fnproject/go:1-stretch fnproject/go:1-stretch-dev" + timeout: '500' + policy_failure: true + policy_bundle_file_path: .circleci/.anchore/policy_bundle.json + - anchore/parse_reports + + "go1_alpine_security_check": + executor: anchore/anchore_engine + working_directory: ~/fdk-go + steps: + - setup_remote_docker: + docker_layer_caching: true + - checkout + - run: + name: Golang 1 Alpine 3.8 build + command: | + apk add bash + ./build-images.sh 1 alpine + - anchore/analyze_local_image: + image_name: "fnproject/go:1-alpine fnproject/go:1-alpine-dev" timeout: '500' policy_failure: true policy_bundle_file_path: .circleci/.anchore/policy_bundle.json @@ -45,5 +64,16 @@ workflows: version: 2 build: jobs: - - "fdk" - - "go1-12-4_security_check" + - "test" + nightly: + triggers: + - schedule: + cron: "0 0 * * *" + filters: + branches: + only: + - master + jobs: + - "test" + - "go1_stretch_security_check" + - "go1_alpine_security_check" diff --git a/build-images.sh b/build-images.sh index f22d060..909bb3c 100755 --- a/build-images.sh +++ b/build-images.sh @@ -2,8 +2,8 @@ set -xe -goversion=${1:-"1.12.4"} +goversion=${1:-"1"} ostype=${2:-"alpine"} -pushd images/${goversion}/${ostype}/build-stage/ && docker build -t fnproject/golang:${goversion}-${ostype}-dev . && popd -pushd images/${goversion}/${ostype}/runtime/ && docker build -t fnproject/golang:${goversion}-${ostype} . && popd +pushd images/${goversion}/${ostype}/build-stage && docker build -t fnproject/go:${goversion}-${ostype}-dev . && popd +pushd images/${goversion}/${ostype}/runtime && docker build -t fnproject/go:${goversion}-${ostype} . && popd diff --git a/images/1.12.4/alpine/build-stage/Dockerfile b/images/1/alpine/build-stage/Dockerfile similarity index 77% rename from images/1.12.4/alpine/build-stage/Dockerfile rename to images/1/alpine/build-stage/Dockerfile index b641550..2930364 100644 --- a/images/1.12.4/alpine/build-stage/Dockerfile +++ b/images/1/alpine/build-stage/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.12.4-alpine3.8 +FROM golang:1-alpine3.8 RUN apk update && apk upgrade && \ apk add --no-cache wget curl git bzr mercurial build-base diff --git a/images/1.12.4/alpine/runtime/Dockerfile b/images/1/alpine/runtime/Dockerfile similarity index 100% rename from images/1.12.4/alpine/runtime/Dockerfile rename to images/1/alpine/runtime/Dockerfile diff --git a/images/1.12.4/stretch/build-stage/Dockerfile b/images/1/stretch/build-stage/Dockerfile similarity index 83% rename from images/1.12.4/stretch/build-stage/Dockerfile rename to images/1/stretch/build-stage/Dockerfile index 0b35ef0..9b63cac 100644 --- a/images/1.12.4/stretch/build-stage/Dockerfile +++ b/images/1/stretch/build-stage/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.12.4-stretch +FROM golang:1-stretch RUN apt-get update && apt-get upgrade -qy && \ apt-get install wget curl mercurial build-essential gcc -qy && \ diff --git a/images/1.12.4/stretch/runtime/Dockerfile b/images/1/stretch/runtime/Dockerfile similarity index 100% rename from images/1.12.4/stretch/runtime/Dockerfile rename to images/1/stretch/runtime/Dockerfile diff --git a/release_images.sh b/release_images.sh new file mode 100755 index 0000000..dd60aaa --- /dev/null +++ b/release_images.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +user="fnproject" +image="go" +goversion="1" +stretch="stretch" +alpine="alpine" + + +docker push ${user}/${image}:${goversion}-${stretch} +docker push ${user}/${image}:${goversion}-${stretch}-dev + +docker push ${user}/${image}:${goversion}-${alpine} +docker push ${user}/${image}:${goversion}-${alpine}-dev From 78c25b77251b9601b756d79d7a19484131b7e4e8 Mon Sep 17 00:00:00 2001 From: Denis Makogon Date: Wed, 5 Jun 2019 20:53:14 +0300 Subject: [PATCH 6/6] adding fn user --- images/1/alpine/runtime/Dockerfile | 1 - images/1/stretch/runtime/Dockerfile | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/images/1/alpine/runtime/Dockerfile b/images/1/alpine/runtime/Dockerfile index 43a2e16..bc99d25 100644 --- a/images/1/alpine/runtime/Dockerfile +++ b/images/1/alpine/runtime/Dockerfile @@ -3,5 +3,4 @@ FROM alpine:3.8 RUN apk update && apk upgrade \ && apk add ca-certificates \ && rm -rf /var/cache/apk/* - RUN addgroup -g 1000 -S fn && adduser -S -u 1000 -G fn fn diff --git a/images/1/stretch/runtime/Dockerfile b/images/1/stretch/runtime/Dockerfile index 791438a..01c12de 100644 --- a/images/1/stretch/runtime/Dockerfile +++ b/images/1/stretch/runtime/Dockerfile @@ -1,3 +1,4 @@ FROM debian:stretch-slim -RUN apt-get update && apt-get upgrade -qy +RUN apt-get update && apt-get upgrade -qy && apt-get clean +RUN addgroup --system --gid 1000 --system fn && adduser --system --uid 1000 --ingroup fn fn