test setcap (#15)

WindzCUHK · web-flow · commit aba05ed2bb52 · 2023-04-19T18:25:41.000+09:00
Signed-off-by: wfan &lt;wfan@yahoo-corp.jp&gt;
diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml
@@ -137,7 +137,7 @@ jobs:
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
             jq -r .
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
-            jq -r .cis_docker_benchmark_violation_report[].violations[] | \
+            jq -r '.cis_docker_benchmark_violation_report[] | select(true) | .violations[]' | \
             wc -l | \
             xargs -I% test 0 -eq %
 
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:1.20-alpine AS base
 
 RUN set -eux \
     && apk --no-cache add ca-certificates \
-    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git
+    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git libcap
 
 WORKDIR ${GOPATH}/src/github.com/AthenZ/garm
 
@@ -32,6 +32,9 @@ RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \
     go build -ldflags "-s -w -linkmode 'external' -extldflags '-static -fPIC -m64 -pthread -std=c++11 -lstdc++' -X 'main.Version=${APP_VERSION} at ${BUILD_TIME} by ${GO_VERSION}'" -a -tags "cgo netgo" -installsuffix "cgo netgo" -o "${APP_NAME}" \
     && mv "${APP_NAME}" "/usr/bin/${APP_NAME}"
 
+# allow well-known port binding
+RUN setcap 'cap_net_bind_service=+ep' "/usr/bin/${APP_NAME}"
+
 RUN apk del build-dependencies --purge \
     && rm -rf "${GOPATH}"
 
@@ -50,7 +53,7 @@ COPY --from=builder /etc/passwd /etc/passwd
 COPY --from=builder /usr/bin/${APP_NAME} /go/bin/${APP_NAME}
 # Copy user
 COPY --from=builder /etc/passwd /etc/passwd
-# USER ${APP_NAME}
+USER ${APP_NAME}
 
 HEALTHCHECK NONE
 ENTRYPOINT ["/go/bin/garm"]
