-
Notifications
You must be signed in to change notification settings - Fork 120
/
Copy pathDockerfile
144 lines (132 loc) · 7.4 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
FROM shiftleft/scan-base as builder
ARG CLI_VERSION
ARG BUILD_DATE
ENV GOSEC_VERSION=2.4.0 \
TFSEC_VERSION=0.24.1 \
KUBESEC_VERSION=2.6.0 \
KUBE_SCORE_VERSION=1.7.2 \
DETEKT_VERSION=1.10.0 \
GITLEAKS_VERSION=4.3.1 \
GRADLE_VERSION=6.5.1 \
GRADLE_HOME=/opt/gradle-${GRADLE_VERSION} \
MAVEN_VERSION=3.6.3 \
MAVEN_HOME=/opt/apache-maven-${MAVEN_VERSION} \
SC_VERSION=2020.1.4 \
PMD_VERSION=6.25.0 \
PMD_CMD="/opt/pmd-bin-${PMD_VERSION}/bin/run.sh pmd" \
JQ_VERSION=1.6 \
FSB_VERSION=1.10.1 \
SB_CONTRIB_VERSION=7.4.7 \
SB_VERSION=4.0.6 \
GOPATH=/opt/app-root/go \
SHIFTLEFT_HOME=/opt/sl-cli \
PATH=${PATH}:${GRADLE_HOME}/bin:${GOPATH}/bin:
USER root
RUN mkdir -p /usr/local/bin/shiftleft \
&& curl -LO "https://github.com/securego/gosec/releases/download/v${GOSEC_VERSION}/gosec_${GOSEC_VERSION}_linux_amd64.tar.gz" \
&& tar -C /usr/local/bin/shiftleft/ -xvf gosec_${GOSEC_VERSION}_linux_amd64.tar.gz \
&& chmod +x /usr/local/bin/shiftleft/gosec \
&& rm gosec_${GOSEC_VERSION}_linux_amd64.tar.gz
RUN curl -LO "https://services.gradle.org/distributions/gradle-${GRADLE_VERSION}-bin.zip" \
&& unzip -q gradle-${GRADLE_VERSION}-bin.zip -d /opt/ \
&& chmod +x /opt/gradle-${GRADLE_VERSION}/bin/gradle \
&& rm gradle-${GRADLE_VERSION}-bin.zip \
&& curl -LO "https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.zip" \
&& unzip -q apache-maven-${MAVEN_VERSION}-bin.zip -d /opt/ \
&& chmod +x /opt/apache-maven-${MAVEN_VERSION}/bin/mvn \
&& rm apache-maven-${MAVEN_VERSION}-bin.zip \
&& curl -LO "https://storage.googleapis.com/shellcheck/shellcheck-stable.linux.x86_64.tar.xz" \
&& tar -C /tmp/ -xvf shellcheck-stable.linux.x86_64.tar.xz \
&& cp /tmp/shellcheck-stable/shellcheck /usr/local/bin/shiftleft/shellcheck \
&& chmod +x /usr/local/bin/shiftleft/shellcheck \
&& curl -LO "https://github.com/dominikh/go-tools/releases/download/${SC_VERSION}/staticcheck_linux_amd64.tar.gz" \
&& tar -C /tmp -xvf staticcheck_linux_amd64.tar.gz \
&& chmod +x /tmp/staticcheck/staticcheck \
&& cp /tmp/staticcheck/staticcheck /usr/local/bin/shiftleft/staticcheck \
&& rm staticcheck_linux_amd64.tar.gz
RUN curl -L "https://github.com/zricethezav/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks-linux-amd64" -o "/usr/local/bin/shiftleft/gitleaks" \
&& chmod +x /usr/local/bin/shiftleft/gitleaks \
&& curl -L "https://github.com/liamg/tfsec/releases/download/v${TFSEC_VERSION}/tfsec-linux-amd64" -o "/usr/local/bin/shiftleft/tfsec" \
&& chmod +x /usr/local/bin/shiftleft/tfsec \
&& rm shellcheck-stable.linux.x86_64.tar.xz
RUN curl -L "https://github.com/zegl/kube-score/releases/download/v${KUBE_SCORE_VERSION}/kube-score_${KUBE_SCORE_VERSION}_linux_amd64" -o "/usr/local/bin/shiftleft/kube-score" \
&& chmod +x /usr/local/bin/shiftleft/kube-score \
&& wget "https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip" \
&& unzip -q pmd-bin-${PMD_VERSION}.zip -d /opt/ \
&& rm pmd-bin-${PMD_VERSION}.zip \
&& curl -L "https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" -o "/usr/local/bin/shiftleft/jq" \
&& chmod +x /usr/local/bin/shiftleft/jq
RUN curl -L "https://github.com/detekt/detekt/releases/download/v${DETEKT_VERSION}/detekt-cli-${DETEKT_VERSION}-all.jar" -o "/usr/local/bin/shiftleft/detekt-cli.jar" \
&& curl -LO "https://github.com/controlplaneio/kubesec/releases/download/v${KUBESEC_VERSION}/kubesec_linux_amd64.tar.gz" \
&& tar -C /usr/local/bin/shiftleft/ -xvf kubesec_linux_amd64.tar.gz \
&& rm kubesec_linux_amd64.tar.gz \
&& curl -LO "https://github.com/spotbugs/spotbugs/releases/download/${SB_VERSION}/spotbugs-${SB_VERSION}.tgz" \
&& tar -C /opt/ -xvf spotbugs-${SB_VERSION}.tgz \
&& rm spotbugs-${SB_VERSION}.tgz \
&& curl -LO "https://repo1.maven.org/maven2/com/h3xstream/findsecbugs/findsecbugs-plugin/${FSB_VERSION}/findsecbugs-plugin-${FSB_VERSION}.jar" \
&& mv findsecbugs-plugin-${FSB_VERSION}.jar /opt/spotbugs-${SB_VERSION}/plugin/findsecbugs-plugin.jar \
&& curl -LO "https://repo1.maven.org/maven2/com/mebigfatguy/sb-contrib/sb-contrib/${SB_CONTRIB_VERSION}/sb-contrib-${SB_CONTRIB_VERSION}.jar" \
&& mv sb-contrib-${SB_CONTRIB_VERSION}.jar /opt/spotbugs-${SB_VERSION}/plugin/sb-contrib.jar \
&& curl "https://cdn.shiftleft.io/download/sl" > /usr/local/bin/shiftleft/sl \
&& chmod a+rx /usr/local/bin/shiftleft/sl \
&& mkdir -p /opt/sl-cli
FROM shiftleft/scan-base-slim as sast-scan-tools
LABEL maintainer="ShiftLeftSecurity" \
org.label-schema.schema-version="1.0" \
org.label-schema.vendor="shiftleft" \
org.label-schema.name="sast-scan" \
org.label-schema.version=$CLI_VERSION \
org.label-schema.license="GPL-3.0-or-later" \
org.label-schema.description="Container with various opensource static analysis security testing tools (shellcheck, gosec, tfsec, gitleaks, ...) for multiple programming languages" \
org.label-schema.url="https://www.shiftleft.io" \
org.label-schema.usage="https://github.com/ShiftLeftSecurity/sast-scan" \
org.label-schema.build-date=$BUILD_DATE \
org.label-schema.vcs-url="https://github.com/ShiftLeftSecurity/sast-scan.git" \
org.label-schema.docker.cmd="docker run --rm -it --name sast-scan shiftleft/sast-scan"
ENV APP_SRC_DIR=/usr/local/src \
DEPSCAN_CMD="/usr/local/bin/depscan" \
MVN_CMD="/opt/apache-maven/bin/mvn" \
PMD_CMD="/opt/pmd-bin/bin/run.sh pmd" \
SB_VERSION=4.0.6 \
PMD_VERSION=6.25.0 \
PMD_JAVA_OPTS="" \
SPOTBUGS_HOME=/opt/spotbugs \
JAVA_HOME=/usr/lib/jvm/jre-11-openjdk \
SCAN_JAVA_HOME=/usr/lib/jvm/jre-11-openjdk \
SCAN_JAVA_11_HOME=/usr/lib/jvm/jre-11-openjdk \
SCAN_JAVA_8_HOME=/usr/lib/jvm/jre-1.8.0 \
GRADLE_VERSION=6.5.1 \
GRADLE_HOME=/opt/gradle \
GRADLE_CMD=gradle \
MAVEN_VERSION=3.6.3 \
MAVEN_HOME=/opt/apache-maven \
PYTHONUNBUFFERED=1 \
DOTNET_CLI_TELEMETRY_OPTOUT=1 \
SHIFTLEFT_HOME=/opt/sl-cli \
GO111MODULE=auto \
GOARCH=amd64 \
GOOS=linux \
CGO_ENABLED=0 \
PATH=/usr/local/src/:${PATH}:/opt/gradle/bin:/opt/apache-maven/bin:/usr/local/go/bin:/opt/sl-cli:/opt/phpsast/vendor/bin:
COPY --from=builder /usr/local/bin/shiftleft /usr/local/bin
COPY --from=builder /opt/pmd-bin-${PMD_VERSION} /opt/pmd-bin
COPY --from=builder /opt/spotbugs-${SB_VERSION} /opt/spotbugs
COPY --from=builder /opt/gradle-${GRADLE_VERSION} /opt/gradle
COPY --from=builder /opt/apache-maven-${MAVEN_VERSION} /opt/apache-maven
COPY --from=builder /opt/sl-cli /opt/sl-cli
COPY tools_config/ /usr/local/src/
COPY requirements.txt /usr/local/src/
USER root
RUN pip3 install --no-cache-dir wheel \
&& pip3 install --no-cache-dir -r /usr/local/src/requirements.txt \
&& mv /usr/local/bin/scan /usr/local/bin/depscan \
&& npm install --only=production -g @appthreat/cdxgen @microsoft/rush \
&& mkdir -p /opt/phpsast && cd /opt/phpsast && composer require --quiet --no-cache --dev vimeo/psalm \
&& composer require --quiet --no-cache --dev phpstan/phpstan \
&& composer require --quiet --no-cache --dev phpstan/extension-installer \
&& microdnf remove -y php-fpm php-devel php-pear automake make gcc gcc-c++ libtool \
&& microdnf clean all
WORKDIR /app
COPY scan /usr/local/src/
COPY lib /usr/local/src/lib
CMD [ "python3", "/usr/local/src/scan" ]