Use multi-stage Dockerfiles for Security Product analyzers
All our analyzers are available through a Docker image.
Therefore, all these repos contain a Dockerfile
to build the image. Yet, docker build
will fail if the developer didn't install go, and build the project entirely before. We should make that step easier and reproducible with multi-stage builds.
We'll have to update our https://gitlab.com/gitlab-org/security-products/ci-templates/raw/master/includes-dev/analyzer.yml file accordingly, but that will ensure that we use the same build process everywhere.
ex, with the ESLINT analyzer:
FROM golang:1.11 AS build
# Force the go compiler to use modules
ENV GO111MODULE=on CGO_ENABLED=0 GOOS=linux
WORKDIR /go/src/app
COPY . .
RUN go build -o analyzer
FROM node:11-alpine
ARG ESLINT_VERSION
ARG ESLINT_SECURITY_VERSION
ENV ESLINT_VERSION ${ESLINT_VERSION:-5.12.1}
ENV ESLINT_SECURITY_VERSION ${ESLINT_SECURITY_VERSION:-1.4.0}
# --unsafe-perm is a needed workaround for https://github.com/npm/uid-number/issues/7
# Or else it doesn't build on gitlab-runner
RUN npm install -g --unsafe-perm eslint@$ESLINT_VERSION eslint-plugin-html eslint-plugin-security@$ESLINT_SECURITY_VERSION
USER node
WORKDIR /home/node
COPY --from=build --chown=root:root /go/src/app/analyzer /
COPY eslintrc /home/node/.eslintrc
ENTRYPOINT []
CMD ["/analyzer", "run"]
Implementation Plan
-
Update all existing analyzers Dockerfiles to build go binary, ensuring that the metadata.AnalyzerVersion
variable is automatically set at build time, as explained in Report changelog version in Go-based analyzers-
gemnasium-python/Dockerfile -
security-code-scan/Dockerfile -
spotbugs/Dockerfile -
nodejs-scan/Dockerfile -
kubesec/Dockerfile -
bundler-audit/Dockerfile -
secrets/Dockerfile -
tslint/Dockerfile -
.gemnasium/Dockerfile -
retire.js/Dockerfile -
bandit/Dockerfile -
pmd-apex/Dockerfile -
sobelow/Dockerfile -
brakeman/Dockerfile -
common/template/Dockerfile -
gosec/Dockerfile -
flawfinder/Dockerfile -
eslint/Dockerfile -
gemnasium-maven/Dockerfile -
phpcs-security-audit/Dockerfile
-
-
Remove go build
stage from analyzer ci template](https://gitlab.com/gitlab-org/security-products/ci-templates/-/blob/c9d97ebee39479de9aba276d02f9ff138b79ccb1/includes-dev/analyzer.yml#L23)
/cc @gl-secure
Edited by Lucas Charles