fix: go back to root user in Dockefile #103
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Other options: we do setup a non-root user with sudoer privileges. This should satisfy the security linter and still gives us the same privileges as root in the container. (yep, I understand still insecure) |
|
We will likely need to add something in the dockerfile or a config file to exempt the security rule being caught by the linter. |
jmeridth
force-pushed
the
jm-go-back-to-root-user-in-dockerfile
branch
from
cb33298 to
0d0abf2
Compare
Fixes: github#101 Based on [GitHub docs]() we will not be able to access the workspace of the GitHub Action without being the root user. As a non-root user we won't be able to write to `$GITHUB_OUTPUT` which is an environment variable that is a path inside the workspace and GitHub Actions using to handle output from the GitHub Action. Once that was realized, this seems to be the only possible path. fix: ignore checkov linter requiring user in Dockerfile Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
force-pushed
the
jm-go-back-to-root-user-in-dockerfile
branch
from
0d0abf2 to
eee235e
Compare
|
@zkoppert updated and pushed with skip for user in Dockerfile |
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
10 tasks
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - [x] add missing --- at top of stale.yml github action (makes warning happy) there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - rename file to .python-lint (default that superlinter looks for) - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 - [x] update README with permissions best practices in examples there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - rename file to .python-lint (default that superlinter looks for) - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 - [x] update README with permissions best practices in examples there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - rename file to .python-lint (default that superlinter looks for) - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 - [x] update README with permissions best practices in examples there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - rename file to .python-lint (default that superlinter looks for) - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 - [x] update README with permissions best practices in examples there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - rename file to .python-lint (default that superlinter looks for) - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 - [x] update README with permissions best practices in examples there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - rename file to .python-lint (default that superlinter looks for) - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 - [x] update README with permissions best practices in examples there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to jmeridth/cleanowners
that referenced
this pull request
Mar 20, 2024
- [x] add skips for checkov - can't add user due to needing root access [context](github/stale-repos#103) - add health check endpoint - not there yet - [x] move flake8 arguments from Makefile into .github/linters/.flake8 config file - use .flake8 config in Makefile - [x] move .pylintrc from root to .github/linters/.pylintrc so superlinter uses it - rename file to .python-lint (default that superlinter looks for) - [x] add missing --- at top of stale.yml github action (makes warning happy) - [x] update super-linter to v6 - [x] update README with permissions best practices in examples there might be a few other linting errors, but I'm not able to recreate locally currently Signed-off-by: jmeridth <jmeridth@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #101
Pull Request
Proposed Changes
Based on GitHub docs we will not be able to access the workspace of the GitHub Action without being the root user. As a non-root user we won't be able to write to
$GITHUB_OUTPUTwhich is an environment variable that is a path inside the workspace and GitHub Actions using to handle output from the GitHub Action.Once that was realized, this seems to be the only possible path.
fix: ignore checkov linter requiring user in Dockerfile (docs)
Running checkov locally
Note: CKV_DOCKER_3 is skipped
Readiness Checklist
Author/Contributor
make lintand fix any issues that you have introducedmake testand ensure you have test coverage for the lines you are introducingReviewer
bug,documentation,enhancement,infrastructure, orbreaking