Skip to content

Commit 39a44eb

Browse files
actuarysailoractuarysailor
committed
fix: Added the hadolint hint
1 parent 1a33b90 commit 39a44eb

File tree

1 file changed

+78
-2
lines changed

1 file changed

+78
-2
lines changed

Dockerfile.tools

Lines changed: 78 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,22 +5,36 @@ FROM python:3.12-alpine@sha256:9b8808206f4a956130546a32cbdd8633bc973b19db2923b72
55
FROM python_base AS builder
66
ARG TARGETOS
77
ARG TARGETARCH
8+
89
WORKDIR /bin_dir
10+
911
RUN apk add --no-cache \
12+
# Builder deps
1013
bash=~5 \
1114
curl=~8 && \
15+
# Upgrade packages for be able get latest Checkov
1216
python3 -m pip install --no-cache-dir --upgrade \
1317
pip~=25.0 \
1418
setuptools~=75.8
19+
1520
COPY tools/install/ /install/
21+
22+
#
23+
# Install required tools
24+
#
1625
ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
1726
RUN touch /.env && \
1827
if [ "$PRE_COMMIT_VERSION" = "false" ]; then \
1928
echo "Vital software can't be skipped" && exit 1; \
2029
fi
2130
RUN /install/pre-commit.sh
31+
32+
#
33+
# Install tools
34+
#
2235
ARG OPENTOFU_VERSION=${OPENTOFU_VERSION:-false}
2336
ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-false}
37+
2438
ARG CHECKOV_VERSION=${CHECKOV_VERSION:-false}
2539
ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false}
2640
ARG INFRACOST_VERSION=${INFRACOST_VERSION:-false}
@@ -31,10 +45,16 @@ ARG TFLINT_VERSION=${TFLINT_VERSION:-false}
3145
ARG TFSEC_VERSION=${TFSEC_VERSION:-false}
3246
ARG TFUPDATE_VERSION=${TFUPDATE_VERSION:-false}
3347
ARG TRIVY_VERSION=${TRIVY_VERSION:-false}
48+
49+
50+
# Tricky thing to install all tools by set only one arg.
51+
# In RUN command below used `. /.env` <- this is sourcing vars that
52+
# specified in step below
3453
ARG INSTALL_ALL=${INSTALL_ALL:-false}
3554
RUN if [ "$INSTALL_ALL" != "false" ]; then \
3655
echo "OPENTOFU_VERSION=latest" >> /.env && \
3756
echo "TERRAFORM_VERSION=latest" >> /.env && \
57+
\
3858
echo "CHECKOV_VERSION=latest" >> /.env && \
3959
echo "HCLEDIT_VERSION=latest" >> /.env && \
4060
echo "INFRACOST_VERSION=latest" >> /.env && \
@@ -46,8 +66,12 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
4666
echo "TFUPDATE_VERSION=latest" >> /.env && \
4767
echo "TRIVY_VERSION=latest" >> /.env \
4868
; fi
69+
70+
# Docker `RUN`s shouldn't be consolidated here
71+
# hadolint global ignore=DL3059
4972
RUN /install/opentofu.sh
5073
RUN /install/terraform.sh
74+
5175
RUN /install/checkov.sh
5276
RUN /install/hcledit.sh
5377
RUN /install/infracost.sh
@@ -59,33 +83,85 @@ RUN /install/tfsec.sh
5983
RUN /install/tfupdate.sh
6084
RUN /install/trivy.sh
6185

86+
87+
# Checking binaries versions and write it to debug file
88+
89+
# SC2086 - We do not need to quote "$F" variable, because it's not contain spaces
90+
# DL4006 - Not Applicable for /bin/sh in alpine images. Disable, as recommended by check itself
91+
# hadolint ignore=SC2086,DL4006
92+
RUN . /.env && \
93+
F=tools_versions_info && \
94+
pre-commit --version >> $F && \
95+
(if [ "$OPENTOFU_VERSION" != "false" ]; then ./tofu --version | head -n 1 >> $F; else echo "opentofu SKIPPED" >> $F ; fi) && \
96+
(if [ "$TERRAFORM_VERSION" != "false" ]; then ./terraform --version | head -n 1 >> $F; else echo "terraform SKIPPED" >> $F ; fi) && \
97+
\
98+
(if [ "$CHECKOV_VERSION" != "false" ]; then echo "checkov $(checkov --version)" >> $F; else echo "checkov SKIPPED" >> $F ; fi) && \
99+
(if [ "$HCLEDIT_VERSION" != "false" ]; then echo "hcledit $(./hcledit version)" >> $F; else echo "hcledit SKIPPED" >> $F ; fi) && \
100+
(if [ "$INFRACOST_VERSION" != "false" ]; then echo "$(./infracost --version)" >> $F; else echo "infracost SKIPPED" >> $F ; fi) && \
101+
(if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then ./terraform-docs --version >> $F; else echo "terraform-docs SKIPPED" >> $F ; fi) && \
102+
(if [ "$TERRAGRUNT_VERSION" != "false" ]; then ./terragrunt --version >> $F; else echo "terragrunt SKIPPED" >> $F ; fi) && \
103+
(if [ "$TERRASCAN_VERSION" != "false" ]; then echo "terrascan $(./terrascan version)" >> $F; else echo "terrascan SKIPPED" >> $F ; fi) && \
104+
(if [ "$TFLINT_VERSION" != "false" ]; then ./tflint --version >> $F; else echo "tflint SKIPPED" >> $F ; fi) && \
105+
(if [ "$TFSEC_VERSION" != "false" ]; then echo "tfsec $(./tfsec --version)" >> $F; else echo "tfsec SKIPPED" >> $F ; fi) && \
106+
(if [ "$TFUPDATE_VERSION" != "false" ]; then echo "tfupdate $(./tfupdate --version)" >> $F; else echo "tfupdate SKIPPED" >> $F ; fi) && \
107+
(if [ "$TRIVY_VERSION" != "false" ]; then echo "trivy $(./trivy --version)" >> $F; else echo "trivy SKIPPED" >> $F ; fi) && \
108+
printf "\n\n\n" && cat $F && printf "\n\n\n"
109+
110+
111+
62112
FROM python_base
113+
63114
RUN apk add --no-cache \
115+
# pre-commit deps
64116
git=~2 \
117+
# All hooks deps
65118
bash=~5 \
119+
# pre-commit-hooks deps: https://github.com/pre-commit/pre-commit-hooks
66120
musl-dev=~1 \
67121
gcc=~14 \
122+
# entrypoint wrapper deps
68123
su-exec=~0.2 \
124+
# ssh-client for external private module in ssh
69125
openssh-client=~10
70-
COPY --from=builder /usr/local/bin/pre-commit /usr/local/bin/checkov* /usr/bin/
71-
COPY --from=builder /bin_dir/ /usr/bin/
126+
127+
# Copy tools
128+
COPY --from=builder \
129+
# Needed for all hooks
130+
/usr/local/bin/pre-commit \
131+
# Hooks and terraform binaries
132+
/bin_dir/ \
133+
/usr/local/bin/checkov* \
134+
/usr/bin/
135+
# Copy pre-commit packages
72136
COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/
137+
# Copy terrascan policies
73138
COPY --from=builder /root/ /root/
139+
140+
# Copy hook scripts for Docker-based hooks
74141
COPY hooks/ /usr/local/bin/hooks/
75142
COPY lib_getopt /usr/local/bin/
76143
COPY src/pre_commit_terraform/ /usr/local/lib/python3.12/site-packages/pre_commit_terraform/
144+
145+
# Install hooks extra deps
77146
RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
78147
apk add --no-cache perl=~5 \
79148
; fi && \
80149
if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
81150
apk add --no-cache jq=~1 \
82151
; fi && \
152+
# Fix git runtime fatal:
153+
# unsafe repository ('/lint' is owned by someone else)
83154
git config --global --add safe.directory /lint
155+
84156
COPY tools/entrypoint.sh /entrypoint.sh
157+
158+
# Copy hook scripts for docker_image language support
85159
COPY hooks/ /usr/bin/hooks/
86160
COPY lib_getopt /usr/bin/lib_getopt
87161
RUN chmod +x /usr/bin/hooks/*.sh
162+
88163
ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always}
164+
89165
ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
90166
ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}
91167

0 commit comments

Comments
 (0)