Skip to content

Commit c157509

Browse files
timbastintimbastin
committed
updates cosign, trivy, gitleaks and crane binaries
1 parent 200e4c2 commit c157509

2 files changed

Lines changed: 32 additions & 1699 deletions

File tree

Dockerfile.scanner

Lines changed: 32 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -5,22 +5,42 @@ WORKDIR /app
55

66
ARG TARGETPLATFORM
77

8-
ENV CRANE_VERSION=v0.19.1
8+
ENV CRANE_VERSION=v0.20.6
99
ENV OS=Linux
1010
ENV ARCH=x86_64
11+
ENV TRIVY_VERSION=v0.65.0
12+
ENV COSIGN_VERSION=v2.5.3
13+
ENV GITLEAKS_VERSION=v8.28.0
1114

12-
RUN curl -sL "https://github.com/google/go-containerregistry/releases/download/${CRANE_VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz && \
13-
tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane
14-
15-
# install trivy
16-
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.62.1
15+
# Expected checksums for security verification
16+
ENV CRANE_CHECKSUM=c1d593d01551f2c9a3df5ca0a0be4385a839bd9b86d4a76e18d7b17d16559127
17+
ENV TRIVY_CHECKSUM=f0c5e3c912e7f5194a0efc85dfd34c94c63c4a4184b2d7b97ec7718661f5ead2
18+
ENV COSIGN_CHECKSUM=783b5d6c74105401c63946c68d9b2a4e1aab3c8abce043e06b8510b02b623ec9
19+
ENV GITLEAKS_CHECKSUM=a65b5253807a68ac0cafa4414031fd740aeb55f54fb7e55f386acb52e6a840eb
1720

18-
# install cosign
19-
RUN curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" && mv cosign-linux-amd64 /usr/local/bin/cosign && chmod +x /usr/local/bin/cosign
20-
21-
# install gitleaks
22-
RUN curl -O -L "https://github.com/gitleaks/gitleaks/releases/download/v8.24.2/gitleaks_8.24.2_linux_x64.tar.gz" && \
23-
tar -zxvf gitleaks_8.24.2_linux_x64.tar.gz -C /usr/local/bin/ gitleaks
21+
# install crane with checksum verification
22+
RUN curl -sL "https://github.com/google/go-containerregistry/releases/download/${CRANE_VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz && \
23+
echo "${CRANE_CHECKSUM} go-containerregistry.tar.gz" | sha256sum -c - && \
24+
tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane && \
25+
rm go-containerregistry.tar.gz
26+
27+
# install trivy with checksum verification
28+
RUN curl -sL "https://github.com/aquasecurity/trivy/releases/download/${TRIVY_VERSION}/trivy_$(echo ${TRIVY_VERSION} | sed 's/v//')_Linux-64bit.tar.gz" > trivy.tar.gz && \
29+
echo "${TRIVY_CHECKSUM} trivy.tar.gz" | sha256sum -c - && \
30+
tar -zxvf trivy.tar.gz -C /usr/local/bin/ trivy && \
31+
rm trivy.tar.gz
32+
33+
# install cosign with checksum verification
34+
RUN curl -sL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" > cosign-linux-amd64 && \
35+
echo "${COSIGN_CHECKSUM} cosign-linux-amd64" | sha256sum -c - && \
36+
mv cosign-linux-amd64 /usr/local/bin/cosign && \
37+
chmod +x /usr/local/bin/cosign
38+
39+
# install gitleaks with checksum verification
40+
RUN curl -sL "https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks_$(echo ${GITLEAKS_VERSION} | sed 's/v//')_linux_x64.tar.gz" > gitleaks.tar.gz && \
41+
echo "${GITLEAKS_CHECKSUM} gitleaks.tar.gz" | sha256sum -c - && \
42+
tar -zxvf gitleaks.tar.gz -C /usr/local/bin/ gitleaks && \
43+
rm gitleaks.tar.gz
2444

2545
#install unzip
2646
RUN apt-get update && apt-get install -y unzip

0 commit comments

Comments
 (0)