crowd.dev/scripts/services/docker/Dockerfile.git_integration at a1b16380b204f7aa05d72da728dbe1317efa28f1 · linuxfoundation/crowd.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Base image for both stages
FROM python:3.13.5-slim-bullseye AS base

# Go builder stage: build the software-value binary and install scc
FROM golang:1.25-alpine AS go-builder

WORKDIR /go/src/software-value

# Install scc using the official Go toolchain (specific version as per project README)
RUN go install github.com/boyter/scc/v3@v3.5.0

# Copy Go module files
COPY ./services/apps/git_integration/src/crowdgit/services/software_value/go.mod ./
COPY ./services/apps/git_integration/src/crowdgit/services/software_value/go.sum ./

# Download dependencies
RUN go mod download

# Copy source code
COPY ./services/apps/git_integration/src/crowdgit/services/software_value/ ./

# Build the binary
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags "-w -s" -o software-value ./

# Go builder stage 2: build the vulnerability-scanner binary
FROM golang:1.25-alpine AS go-vuln-builder

WORKDIR /go/src/vulnerability-scanner

# Copy module files first for dependency caching
COPY ./services/apps/git_integration/src/crowdgit/services/vulnerability_scanner/go.mod ./
COPY ./services/apps/git_integration/src/crowdgit/services/vulnerability_scanner/go.sum ./

# Copy source code
COPY ./services/apps/git_integration/src/crowdgit/services/vulnerability_scanner/ ./

# Download dependencies and build, using cache mounts to avoid re-downloading on every build
RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
    go mod download && CGO_ENABLED=0 GOOS=linux go build -ldflags "-w -s" -o vulnerability-scanner ./

# Builder stage: install build dependencies, uv, and dependencies
FROM base AS builder

# Install build dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

# Copy uv binary from official image
COPY --from=ghcr.io/astral-sh/uv:0.7.17 /uv /usr/local/bin/uv

WORKDIR /usr/crowd/app

ENV UV_LINK_MODE=copy \
    UV_COMPILE_BYTECODE=1 \
    UV_PYTHON_DOWNLOADS=never \
    UV_PYTHON=python3.13 \
    UV_PROJECT_ENVIRONMENT=/usr/crowd/app/.venv \
    UV_VENV_PATH=/usr/crowd/app/.venv

# Copy only lock, pyproject.toml and License for dependency install caching
COPY ./services/apps/git_integration/pyproject.toml ./services/apps/git_integration/uv.lock ./LICENSE ./

# Install dependencies excluding the project itself for better caching
RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev

# Copy full source code
COPY ./services/apps/git_integration ./LICENSE ./

# Sync full project including the project itself
RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-dev


# Runner: minimal image with runtime deps and virtualenv only
FROM base AS runner

# Install runtime dependencies only
RUN apt-get update && apt-get install -y \
    ca-certificates \
    git \
    ripgrep \
    ruby \
    libgit2-1.1 \
    ruby-dev \
    build-essential \
    libgit2-dev \
    cmake \
    pkg-config \
    --no-install-recommends \
    && gem install licensee -v '9.15.3' --no-document \
    && apt-get remove --autoremove -y ruby-dev build-essential libgit2-dev cmake pkg-config \
    && rm -rf /var/lib/apt/lists/*

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PIP_NO_CACHE_DIR=off

WORKDIR /usr/crowd/app

# Copy virtual environment and app source from builder
COPY --from=builder /usr/crowd/app/.venv /usr/crowd/app/.venv
COPY --from=builder /usr/crowd/app /usr/crowd/app

# Copy both software-value and scc binaries from go-builder stage
COPY --from=go-builder /go/src/software-value/software-value /usr/local/bin/software-value
COPY --from=go-builder /go/bin/scc /usr/local/bin/scc

# Copy vulnerability-scanner binary from go-vuln-builder stage
COPY --from=go-vuln-builder /go/src/vulnerability-scanner/vulnerability-scanner /usr/local/bin/vulnerability-scanner

# Add virtual environment bin to PATH
ENV PATH="/usr/crowd/app/.venv/bin:$PATH"

# Make runner script and binaries executable
RUN chmod +x ./src/runner.sh \
    && chmod +x /usr/local/bin/software-value \
    && chmod +x /usr/local/bin/scc \
    && chmod +x /usr/local/bin/vulnerability-scanner

EXPOSE 8085

CMD ["./src/runner.sh"]