Merge pull request #228 from catenax-ng/TRACEFOSS-953_cypress-docker-config-improvements-KICS

ds-ext-dskrzypczak · web-flow · commit 6a74dbf86182 · 2023-01-31T17:00:03.000+01:00
TRACEFOSS-953 chr: cypress docker configuration improvements - KICS
diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
@@ -1,6 +1,7 @@
 name: "KICS"
 
 on:
+  workflow_dispatch:
   push:
     branches: [main, master]
   # pull_request:
@@ -29,6 +30,10 @@ jobs:
         with:
           # Scanning directory .
           path: "."
+          # Excluded paths:
+          # - docker-compose.yml - used only on local env
+          # - in cypress dir docker related files used only on local env
+          exclude_paths: "docker-compose.yml,cypress/docker-compose.yml,cypress/Dockerfile"
           # Fail on HIGH severity results
           fail_on: high
           # Disable secrets detection - we use GitGuardian
diff --git a/cypress/Dockerfile b/cypress/Dockerfile
@@ -1,3 +1,7 @@
+# DISCLAIMER!
+# purpose of this file is to run cypress E2E tests locally, we don't use it in other env
+# because of statement above, we don't need to change settings to comply with some KICS requirements
+
 
 # if you need to change image please make sure use the same version in all places
 # (here and in .github/workflows/e2e-tests.yml)
@@ -8,6 +12,7 @@
 # but cypress/included:12.3.0 version base on cypress/browsers:node16.16.0-chrome107-ff107-edge
 FROM cypress/included:12.3.0
 
+USER root
 RUN mkdir /ng-app
 WORKDIR /ng-app
 
@@ -18,4 +23,3 @@ COPY yarn.lock /ng-app/yarn.lock
 RUN yarn install
 # https://docs.cypress.io/guides/guides/launching-browsers#Linux-Dependencies
 RUN npx playwright install --with-deps webkit
-
diff --git a/cypress/docker-compose.yml b/cypress/docker-compose.yml
@@ -1,14 +1,29 @@
+# DISCLAIMER!
+# purpose of this file is to run cypress E2E tests locally, we don't use it in other env
+# because of statement above, we don't need to change settings to comply with some KICS requirements
+
 version: "3.9"
 services:
   cypress:
     build:
       context: ../
       dockerfile: cypress/Dockerfile
+
     volumes:
       - ../:/ng-app/
       - /ng-app/node_modules/ # we don't want to override it by host machine
+    security_opt:
+      - label:user:testuser
+      - no-new-privileges:true
     network_mode: host # important to be able to connect to localhost url on host machine
-
-
-networks:
- TRACE_X_FE:
+    # to comply with KICS requirement:
+    # [MEDIUM] Memory Not Limited
+    # Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
+    deploy:
+      resources:
+        limits:
+          cpus: "4"
+          memory: "1024M"
+        reservations:
+          cpus: "2"
+          memory: "512M"
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,3 +1,7 @@
+# DISCLAIMER!
+# purpose of this file is to run services locally, we don't use it in other env
+# because of statement above, we don't need to change settings to comply with some KICS requirements
+
 version: "3.9"
 services:
   keycloak:
