generated from ThalesGroup/template-project
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathContainerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-non-root-usr.base
169 lines (142 loc) · 6.43 KB
/
Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-non-root-usr.base
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# Copyright 2024 Thales
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#==============================================================================#
# This container image is based on the GoLang Debian officical image and
# and embarks Goreleaser "github.com/goreleaser/goreleaser" and GCC for both
# linux/amd64 (x86_64) and linux/arm64 (aarch64).
#==============================================================================#
# Set Go & tools versions. Be carreful when upgrading these versions, make sure
# to keep them in sync with the version golang
ARG GOLANG_VERSION=1.23.0
ARG TRIVY_VERSION=0.57.1
ARG SYFT_VERSION=1.16.0
ARG COSIGN_VERSION=2.4.1
ARG KO_VERSION=0.17.1
# goreleaser v2.4.7 ships with go1.23.0
ARG GORELEASER_VERSION=2.4.7
# Set Debian version name (e.g. bookworm)
ARG DEBIAN_VERSION=bookworm
# Builder image's registry
# A Debian Bookworm based GoLang image is chosen over "docker.io/goreleaser/goreleaser" Alpine based
# goreleaser official image (https://hub.docker.com/r/goreleaser/goreleaser),
# because debian uses glibc and Alpine uses libc musl.
ARG BUILDER_IMAGE_REGISTRY=docker.io/library
ARG BUILDER_IMAGE_NAME=golang
ARG BUILDER_IMAGE_TAG=${GOLANG_VERSION}-${DEBIAN_VERSION}
# For OCI labels
ARG BASE_REGISTRY=${BUILDER_IMAGE_REGISTRY}
ARG BASE_IMAGE=${BUILDER_IMAGE_NAME}
ARG BASE_IMAGE_TAG=${BUILDER_IMAGE_TAG}
# non-root user
ARG APP_USER="goreleaser"
ARG APP_USER_UID="1234"
ARG APP_GROUP="goreleaser"
ARG APP_GROUP_GID="5678"
#==============================================================================#
# Go Debian image with support for both linux/amd64 and linux/arm64
#==============================================================================#
FROM ${BUILDER_IMAGE_REGISTRY}/${BUILDER_IMAGE_NAME}:${BUILDER_IMAGE_TAG} AS builder-base
# Install linux/arm64 GCC
RUN apt-get update && apt-get install -y \
git \
curl \
make \
&& rm -rf /var/lib/apt/lists/*
#==============================================================================#
# installing goreleaser, cosign and ko-build
#==============================================================================#
FROM builder-base as buidler-goreleaser
ARG GORELEASER_VERSION
ARG COSIGN_VERSION
ARG KO_VERSION
RUN go install github.com/goreleaser/goreleaser/v2@v${GORELEASER_VERSION} \
&& go install github.com/sigstore/cosign/v2/cmd/cosign@v${COSIGN_VERSION} \
&& go install github.com/google/ko@v${KO_VERSION}
#==============================================================================#
# installing trivy
#==============================================================================#
FROM buidler-goreleaser as buidler-goreleaser-trivy
ARG TRIVY_VERSION
# install trivy
RUN curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${TRIVY_VERSION}
#==============================================================================#
# installing syft
#==============================================================================#
FROM buidler-goreleaser-trivy as buidler-goreleaser-syft-and-trivy
ARG SYFT_VERSION
# install trivy
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v${SYFT_VERSION}
#==============================================================================#
# Final goreleaser builder image for building xbom-manager
#==============================================================================#
FROM buidler-goreleaser-syft-and-trivy as buidler-goreleaser-final
# are defined at the begining og the file
ARG APP_USER
ARG APP_GROUP
ARG APP_USER_UID
ARG APP_GROUP_GID
# create a non-root user since this app does not need root privileges
RUN addgroup \
--gid ${APP_GROUP_GID} \
${APP_GROUP}
RUN adduser \
--uid ${APP_USER_UID} \
--gid ${APP_GROUP_GID} \
--shell "/bin/bash" \
--disabled-login \
--disabled-password \
--gecos "User for goreleaser" \
${APP_USER}
# Set Go environment variables for the new user
ENV GOROOT=/usr/local/go
ENV GOPATH=/home/${APP_USER}/go
ENV PATH=${GOPATH}/bin:${GOROOT}/bin:${PATH}
# Give ownership of Go-related directories to the non-root user
RUN mkdir -p ${GOPATH} && \
chown -R ${APP_USER}:${APP_GROUP} ${GOPATH} /usr/local/go /go
# Switch to non-root user
#USER ${APP_USER}
ENTRYPOINT ["/bin/bash"]
# See https://github.com/opencontainers/image-spec/blob/main/annotations.md
ARG LABEL_CREATED=""
ARG LABEL_AUTHOR="Thales Open Source <oss@thalesgroup.com>"
ARG LABEL_URL="ghcr.io/thalesgroup/goreleaser-glibc-image-base"
ARG LABEL_DOCUMENTATION="https://github.com/ThalesGroup/goreleaser-glibc-image"
ARG LABEL_SOURCE="https://github.com/ThalesGroup/goreleaser-glibc-image"
ARG LABEL_VERSION=""
ARG LABEL_REVISION=""
ARG LABEL_VENDOR="Thales"
ARG LABEL_LICENSES="Apache 2.0"
ARG LABEL_TITLE="goreleaser-glibc-image-base"
ARG LABEL_REF_NAME=""
ARG LABEL_DESCRIPTION="Container base image that is shiped with goreleaser cosign ko-build trivy and syft, and using glibc on debian. The ENTRYPOINT of this image is /bin/bash."
ARG LABEL_BASE_DIGEST=""
ARG BASE_REGISTRY
ARG BASE_IMAGE
ARG BASE_IMAGE_TAG
ARG LABEL_BASE_NAME="${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_IMAGE_TAG}"
LABEL org.opencontainers.image.created="${LABEL_CREATED}"
LABEL org.opencontainers.image.authors="${LABEL_AUTHOR}"
LABEL org.opencontainers.image.url="${LABEL_URL}"
LABEL org.opencontainers.image.documentation="${LABEL_DOCUMENTATION}"
LABEL org.opencontainers.image.source="${LABEL_SOURCE}"
LABEL org.opencontainers.image.version="${LABEL_VERSION}"
LABEL org.opencontainers.image.revision="${LABEL_REVISION}"
LABEL org.opencontainers.image.vendor="${LABEL_VENDOR}"
LABEL org.opencontainers.image.licenses="${LABEL_LICENSES}"
LABEL org.opencontainers.image.title="${LABEL_TITLE}"
LABEL org.opencontainers.image.ref.name="${LABEL_REF_NAME}"
LABEL org.opencontainers.image.description="${LABEL_DESCRIPTION}"
LABEL org.opencontainers.image.base.digest="${LABEL_BASE_DIGEST}"
LABEL org.opencontainers.image.base.name="${LABEL_BASE_NAME}"