ci: make dockerfile more secure

bl4ko · Nov 7, 2024 · 665447f · 665447f
1 parent 9c8a482
commit 665447f
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,5 @@ main
 go.work
 
 # End of https://www.toptal.com/developers/gitignore/api/go
+
+.pre-commit-trivy-cache
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1 @@
+DS026
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,8 @@
 FROM --platform=$BUILDPLATFORM golang:1.23.2@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f AS builder
 
+ARG TARGETOS
+ARG TARGETARCH
+
 WORKDIR /app
 
 COPY go.mod go.sum ./
@@ -10,7 +13,7 @@ COPY ./internal ./internal
 
 COPY ./cmd ./cmd
 
-RUN CGO_ENABLED=0 GOOS=${TARGET_OS} GOARCH=${TARGETARCH} go build  -o ./cmd/netbox-ssot/main ./cmd/netbox-ssot/main.go
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build  -o ./cmd/netbox-ssot/main ./cmd/netbox-ssot/main.go
 
 FROM alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d
 
@@ -30,10 +33,17 @@ LABEL \
   org.opencontainers.image.description="Microservice for syncing Netbox with multiple external sources."
 
 # Install openssh required for netconf
-RUN apk add openssh
+RUN apk add --no-cache openssh
+
+# Create a netbox user and group
+RUN addgroup -S -g 10001 netbox && \
+  adduser -S -u 10001 -G netbox netbox && \
+  mkdir -p /app && \
+  chown -R netbox:netbox /app
+USER netbox:netbox
 
 WORKDIR /app
 
-COPY --from=builder /app/cmd/netbox-ssot/main ./main
+COPY --from=builder --chown=netbox:netbox /app/cmd/netbox-ssot/main ./main
 
 CMD ["./main"]
diff --git a/Makefile b/Makefile
@@ -1,8 +1,8 @@
 SHELL := /bin/bash
 
-include .env
-
 .PHONY: build_and_push
 
 build_and_push:
-	docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 -t ghcr.io/bl4ko/netbox-ssot:develop --push .
+	docker buildx build \
+  --platform linux/amd64,linux/arm64,linux/arm/v7 \
+  -t ghcr.io/bl4ko/netbox-ssot:develop --push .
diff --git a/go.sum b/go.sum
@@ -64,8 +64,6 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
 github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/vmware/govmomi v0.45.1 h1:pmMmSUNIw/kePaCRFaUOpDh7IxDfhDi9M4Qh+DRlBV4=
-github.com/vmware/govmomi v0.45.1/go.mod h1:uoLVU9zlXC4p4GmLVG+ZJmBC0Gn3Q7mytOJvi39OhxA=
 github.com/vmware/govmomi v0.46.0 h1:vKrY5gG8Udz5HGlBYMrmRy03j9Rey+g5q8S3dQIjOyc=
 github.com/vmware/govmomi v0.46.0/go.mod h1:uoLVU9zlXC4p4GmLVG+ZJmBC0Gn3Q7mytOJvi39OhxA=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/k8s/cronjob.yaml b/k8s/cronjob.yaml
@@ -10,7 +10,7 @@ spec:
         spec:
           containers:
             - name: netbox-ssot
-              image: ghcr.io/bl4ko/netbox-ssot:latest
+              image: ghcr.io/bl4ko/netbox-ssot:v1.5.2
               imagePullPolicy: Always
               resources:
                 limits:
@@ -23,6 +23,16 @@ spec:
                 - name: netbox-ssot-secret
                   mountPath: /app/config.yaml
                   subPath: config.yaml
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop: ["ALL"]
+                runAsNonRoot: true
+                readOnlyRootFilesystem: true
+                runAsUser: 10001
+                runAsGroup: 10001
+                seccompProfile:
+                  type: RuntimeDefault
           volumes:
             - name: netbox-ssot-secret
               secret:

diff --git a/k8s/cronjob_with_cert.yaml b/k8s/cronjob_with_cert.yaml
@@ -10,7 +10,7 @@ spec:
         spec:
           containers:
             - name: netbox-ssot
-              image: ghcr.io/bl4ko/netbox-ssot:latest
+              image: ghcr.io/bl4ko/netbox-ssot:v1.5.2
               imagePullPolicy: Always
               resources:
                 limits:
@@ -26,6 +26,16 @@ spec:
                 - name: netbox-ssot-cert
                   mountPath: /app/sub.pem
                   subPath: sub.pem
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop: ["ALL"]
+                runAsNonRoot: true
+                readOnlyRootFilesystem: true
+                runAsUser: 10001
+                runAsGroup: 10001
+                seccompProfile:
+                  type: RuntimeDefault
           volumes:
             - name: netbox-ssot-secret
               secret:
Original file line number	Diff line number	Diff line change
Expand Up		@@ -32,3 +32,5 @@ main
		go.work

		# End of https://www.toptal.com/developers/gitignore/api/go

		.pre-commit-trivy-cache