Skip to content

Commit 6caee7d

Browse files
nolliv22nolliv22
committed
build(docker)!: add general-purpose Dockerfile, removing the test-only one
1 parent 0f8f252 commit 6caee7d

File tree

2 files changed

+72
-66
lines changed

2 files changed

+72
-66
lines changed

Dockerfile

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
# =========================== Build stage ===========================
2+
FROM astral/uv:python3.12-bookworm-slim AS builder
3+
ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy UV_PYTHON_DOWNLOADS=0
4+
5+
WORKDIR /app
6+
COPY pyproject.toml /app/pyproject.toml
7+
COPY uv.lock /app/uv.lock
8+
RUN --mount=type=cache,target=/root/.cache/uv \
9+
uv sync --locked --no-install-project --no-dev --extra test
10+
11+
COPY codesectools /app/codesectools
12+
RUN --mount=type=cache,target=/root/.cache/uv \
13+
uv sync --locked --no-dev --extra test
14+
15+
# =========================== Base ===========================
16+
FROM python:3.12-slim-bookworm
17+
18+
ARG UID=1000
19+
ARG GID=1000
20+
21+
SHELL ["/bin/bash", "-c"]
22+
23+
RUN apt update -qq && \
24+
DEBIAN_FRONTEND=noninteractive \
25+
apt install \
26+
sudo \
27+
curl git \
28+
cloc \
29+
openjdk-17-jdk-headless maven \
30+
build-essential bear \
31+
-y -qq --no-install-recommends && \
32+
rm -rf /var/lib/apt/lists/*
33+
34+
RUN groupadd -g $GID codesectools && \
35+
useradd -l -u $UID -g codesectools -m codesectools -s /bin/bash && \
36+
echo "codesectools ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/codesectools && \
37+
chmod 0440 /etc/sudoers.d/codesectools
38+
39+
USER codesectools
40+
WORKDIR /home/codesectools
41+
42+
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
43+
ENV PATH="/home/codesectools/.local/bin:$PATH"
44+
45+
# =========================== SAST tools ===========================
46+
RUN uv venv sasts
47+
ENV PATH="/home/codesectools/sasts:$PATH"
48+
ENV PATH="/home/codesectools/sasts/bin:$PATH"
49+
50+
# Semgrep Community Edition
51+
RUN uv pip install --no-cache semgrep
52+
53+
# Bearer
54+
RUN curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | BINDIR=/home/codesectools/sasts sh
55+
56+
# SpotBugs
57+
RUN curl -sL https://github.com/spotbugs/spotbugs/releases/download/4.9.8/spotbugs-4.9.8.tgz | tar -xzvf - && \
58+
mv spotbugs-* /home/codesectools/sasts/spotbugs
59+
ENV PATH="/home/codesectools/sasts/spotbugs/bin:$PATH"
60+
61+
# Cppcheck
62+
RUN sudo apt update -qq && \
63+
DEBIAN_FRONTEND=noninteractive sudo apt install cppcheck -y -qq --no-install-recommends && \
64+
sudo rm -rf /var/lib/apt/lists/*
65+
66+
# =========================== CodeSecTools ===========================
67+
COPY --from=builder --chown=codesectools:codesectools /app /app
68+
ENV PATH="/app/.venv/bin:$PATH"
69+
70+
# https://github.com/sarugaku/shellingham/issues/87
71+
RUN find /app -path "*/shellingham/__init__.py" -exec sed -i 's#raise ShellDetectionFailure()#return ("bash", "/bin/bash")#g' {} \; && \
72+
cstools --install-completion

tests/Dockerfile

Lines changed: 0 additions & 66 deletions
This file was deleted.

0 commit comments

Comments
 (0)