From 4efdff36f1bda09f5ba10e6c23ec881017036960 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sat, 6 Sep 2025 11:07:10 -0400 Subject: [PATCH 1/3] Fix Dockerfile issues identified by hadolint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add SHELL directive with pipefail option to all build stages (DL4006) This ensures that piped commands fail properly if any command in the pipeline fails, preventing silent build failures - Use WORKDIR instead of cd for medusa build (DL3003) More idiomatic Docker practice that makes the build context clearer and follows Docker best practices These changes improve build reliability and follow Docker best practices without affecting the final image functionality. 🤖 Generated with Claude Code https://claude.ai/code Co-Authored-By: Claude --- Dockerfile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index feadd4c..ee86eff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,11 +4,12 @@ ### Medusa build process ### FROM golang:1.23 AS medusa +SHELL ["/bin/bash", "-o", "pipefail", "-c"] WORKDIR /src RUN git clone https://github.com/crytic/medusa.git -RUN cd medusa && \ - export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]\+-g\w\+$//')" && \ +WORKDIR /src/medusa +RUN export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]\+-g\w\+$//')" && \ git checkout "$LATEST_TAG" && \ go build -trimpath -o=/usr/local/bin/medusa -ldflags="-s -w" && \ chmod 755 /usr/local/bin/medusa @@ -18,6 +19,7 @@ RUN cd medusa && \ ### Echidna "build process" ### FROM ghcr.io/crytic/echidna/echidna:latest AS echidna +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN chmod 755 /usr/local/bin/echidna @@ -25,6 +27,7 @@ RUN chmod 755 /usr/local/bin/echidna ### ETH Security Toolbox - base ### FROM ubuntu:jammy AS toolbox-base +SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Add common tools RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ @@ -63,6 +66,7 @@ CMD ["/bin/bash"] ### ETH Security Toolbox - interactive variant ### FROM toolbox-base AS toolbox +SHELL ["/bin/bash", "-o", "pipefail", "-c"] # improve compatibility with amd64 solc in non-amd64 environments (e.g. Docker Desktop on M1 Mac) ENV QEMU_LD_PREFIX=/usr/x86_64-linux-gnu @@ -131,6 +135,7 @@ RUN echo '\ncat /etc/motd\n' >> ~/.bashrc ### * No BSC copy ### FROM toolbox-base AS toolbox-ci +SHELL ["/bin/bash", "-o", "pipefail", "-c"] ENV HOME="/root" ENV PATH="${PATH}:${HOME}/.crytic/bin:${HOME}/.vyper/bin:${HOME}/.foundry/bin" From 368d4f2bcd330532c035a848a03d6465c9e756e7 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sat, 6 Sep 2025 11:10:58 -0400 Subject: [PATCH 2/3] Fix additional shellcheck issues in Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix SC2155: Separate variable assignment from export to avoid masking command failures. Now if git describe fails, we can catch the error. - Fix SC2028: Replace echo with printf for consistent escape sequence handling across different systems. This ensures newlines are properly interpreted regardless of the shell implementation. These changes improve shell script reliability and portability within the Docker build process. 🤖 Generated with Claude Code https://claude.ai/code Co-Authored-By: Claude --- Dockerfile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index ee86eff..df372ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,8 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] WORKDIR /src RUN git clone https://github.com/crytic/medusa.git WORKDIR /src/medusa -RUN export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]\+-g\w\+$//')" && \ +RUN LATEST_TAG="$(git describe --tags | sed 's/-[0-9]\+-g\w\+$//')" && \ + export LATEST_TAG && \ git checkout "$LATEST_TAG" && \ go build -trimpath -o=/usr/local/bin/medusa -ldflags="-s -w" && \ chmod 755 /usr/local/bin/medusa @@ -91,7 +92,7 @@ ENV PATH="${PATH}:${HOME}/.local/bin:${HOME}/.vyper/bin:${HOME}/.foundry/bin" # Install vyper compiler RUN python3 -m venv ${HOME}/.vyper && \ ${HOME}/.vyper/bin/pip3 install --no-cache-dir vyper && \ - echo '\nexport PATH=${PATH}:${HOME}/.vyper/bin' >> ~/.bashrc + printf '\nexport PATH=${PATH}:${HOME}/.vyper/bin\n' >> ~/.bashrc # Install foundry RUN curl -fsSL https://raw.githubusercontent.com/foundry-rs/foundry/27cabbd6c905b1273a5ed3ba7c10acce90833d76/foundryup/install -o install && \ @@ -122,7 +123,7 @@ RUN git clone --depth 1 https://github.com/crytic/building-secure-contracts.git # Configure MOTD COPY --link --chown=root:root motd /etc/motd -RUN echo '\ncat /etc/motd\n' >> ~/.bashrc +RUN printf '\ncat /etc/motd\n' >> ~/.bashrc ### @@ -143,7 +144,7 @@ ENV PATH="${PATH}:${HOME}/.crytic/bin:${HOME}/.vyper/bin:${HOME}/.foundry/bin" # Install vyper compiler RUN python3 -m venv ${HOME}/.vyper && \ ${HOME}/.vyper/bin/pip3 install --no-cache-dir vyper && \ - echo '\nexport PATH=${PATH}:${HOME}/.vyper/bin' >> ~/.bashrc + printf '\nexport PATH=${PATH}:${HOME}/.vyper/bin\n' >> ~/.bashrc # Install foundry RUN curl -fsSL https://raw.githubusercontent.com/foundry-rs/foundry/27cabbd6c905b1273a5ed3ba7c10acce90833d76/foundryup/install -o install && \ @@ -160,4 +161,4 @@ RUN python3 -m venv ${HOME}/.crytic && \ solc-select \ crytic-compile \ slither-analyzer && \ - echo '\nexport PATH=${PATH}:${HOME}/.crytic/bin' >> ~/.bashrc + printf '\nexport PATH=${PATH}:${HOME}/.crytic/bin\n' >> ~/.bashrc From 9df0e1ecc94ea901b77c77a23866cf6ab3973fc1 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sat, 6 Sep 2025 11:28:49 -0400 Subject: [PATCH 3/3] Add .dockerignore to reduce Docker build context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Exclude unnecessary files from the Docker build context to improve build performance. This reduces the amount of data sent to the Docker daemon, speeding up builds. Excluded: - Git repository data (.git, .gitignore) - GitHub configuration (.github) - Documentation files (*.md, LICENSE, CODEOWNERS) - Build artifacts and temporary files 🤖 Generated with Claude Code https://claude.ai/code Co-Authored-By: Claude --- .dockerignore | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..88110c8 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,20 @@ +# Git files +.git +.gitignore + +# GitHub files +.github + +# Documentation +*.md +LICENSE +CODEOWNERS + +# Build artifacts +*.log +*.tmp +.DS_Store + +# Docker test builds +Dockerfile.* +docker-compose*.yml \ No newline at end of file