Skip to content

Commit

Permalink
🚨 update configuration of megalinter + apply some suggestions
Browse files Browse the repository at this point in the history
  • Loading branch information
davidB committed Jan 3, 2024
1 parent f61f25a commit fe2f8b5
Show file tree
Hide file tree
Showing 7 changed files with 74 additions and 17 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/mega-linter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ jobs:

# Upload MegaLinter artifacts
- name: Archive production artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: MegaLinter reports
Expand Down
44 changes: 38 additions & 6 deletions .mega-linter.yml
Original file line number Diff line number Diff line change
@@ -1,21 +1,53 @@
# Configuration file for MegaLinter
# See all available variables at https://megalinter.github.io/configuration/ and in linters documentation

APPLY_FIXES: all # all, none, or list of linter keys
APPLY_FIXES: none # all, none, or list of linter keys
# ENABLE: # If you use ENABLE variable, all other languages/formats/tooling-formats will be disabled by default
# ENABLE_LINTERS: # If you use ENABLE_LINTERS variable, all other linters will be disabled by default
DISABLE:
- COPYPASTE # Comment to enable checks of excessive copy-pastes
- SPELL # Comment to enable checks of spelling mistakes
DISABLE_LINTERS:
- MARKDOWN_MARKDOWN_LINK_CHECK
- DOCKERFILE_DOCKERFILELINT
- RUST_CLIPPY
- REPOSITORY_DEVSKIM
- MARKDOWN_MARKDOWN_LINK_CHECK
- REPOSITORY_CHECKOV # unstable randomly failed (false negative) on generated k8s manifest
- REPOSITORY_DEVSKIM # issue with "git config --global --add safe.directory ..."
- REPOSITORY_GIT_DIFF
- REPOSITORY_GRYPE
- REPOSITORY_KICS
- REPOSITORY_SYFT
- REPOSITORY_TRUFFLEHOG # too long to search for secret
- RUST_CLIPPY # run via an other way, and current version doesn't support `--deny ... --allow ...`
- SQL_TSQLLINT # "You must install or update .NET to run this application."
SHOW_ELAPSED_TIME: true
FILEIO_REPORTER: false
# DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass
FILTER_REGEX_EXCLUDE: "(\\.lock)|(\\.ndjson)|(\\.pdf)|(\\.csv)|(\\.zip)|(\\.tar)|(\\.ipynb)|(license.*)|(LICENSE.*)"
FILTER_REGEX_EXCLUDE: "(megalinter-reports)|(cdevents-spec.*)|(.gitmodules)|(.sqlx)|(\\.lock)|(\\.ndjson)|(\\.pdf)|(\\.csv)|(\\.zip)|(\\.tar)|(\\.ipynb)|(license.*)|(LICENSE.*)"
SPELL_FILTER_REGEX_INCLUDE: '\\.md$'
RUST_CLIPPY_ARGUMENTS: --workspace --all-features --all-targets -- --deny warnings --allow deprecated --allow unknown-lints
PRINT_ALPACA: false
REPOSITORY_SECRETLINT_ARGUMENTS:
- --secretlintignore
- .gitignore
REPOSITORY_TRIVY_ARGUMENTS:
# - --scanners
# - misconfig,vuln,secret
- --skip-files
- "skaffold.yaml"
# - "charts/**/*.tgz"
- --skip-dirs
- "charts/**/charts"
RUST_CLIPPY_ARGUMENTS:
- --workspace
- --all-features
- --all-targets
# - --deny warnings
# - --allow deprecated
# - --allow unknown-lints
YAML_FILTER_REGEX_EXCLUDE: (.*/templates)

## Wait a fix for <https://github.com/oxsecurity/megalinter/issues/1993>
# REPOSITORY_DEVSKIM_ARGUMENTS:
# - --ignore-globs
# - sqlx-data.json

REPOSITORY_TRIVY_DISABLE_ERRORS: true # Too many false positive
1 change: 1 addition & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
AVD-DS-0001
4 changes: 4 additions & 0 deletions .yamllint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,11 @@
# # yamllint disable-line #
###########################################
extends: default

ignore: charts/**/templates/*.yaml

rules:
truthy: disable
document-start: disable
new-lines:
level: warning
Expand Down
27 changes: 21 additions & 6 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,31 +1,46 @@
# hadolint global ignore=DL3006

#---------------------------------------------------------------------------------------------------
# see https://edu.chainguard.dev/chainguard/chainguard-images/reference/rust/image_specs/
# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# trivy:ignore:AVD-DS-0001
FROM cgr.dev/chainguard/rust as build
ARG PROFILE=release
USER nonroot
WORKDIR /work
COPY . .
RUN cargo build "--$PROFILE"
HEALTHCHECK NONE

#---------------------------------------------------------------------------------------------------
# https://edu.chainguard.dev/chainguard/chainguard-images/reference/glibc-dynamic/image_specs/
# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# trivy:ignore:AVD-DS-0001
FROM cgr.dev/chainguard/glibc-dynamic as cdviz-collector
ARG PROFILE=release
USER nonroot
COPY --from=build /work/target/${PROFILE}/cdviz-collector /usr/local/bin/cdviz-collector

ENV \
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT="http://127.0.0.1:4317" \
OTEL_TRACES_SAMPLER="always_off"

HEALTHCHECK NONE
CMD ["cdviz-collector"]

#---------------------------------------------------------------------------------------------------
# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# trivy:ignore:AVD-DS-0001
FROM cgr.dev/chainguard/rust as build-sqlx
USER nonroot
RUN cargo install sqlx-cli --no-default-features --features rustls,postgres
HEALTHCHECK NONE

#---------------------------------------------------------------------------------------------------
# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# trivy:ignore:AVD-DS-0001
FROM cgr.dev/chainguard/glibc-dynamic AS cdviz-dbmigration
USER nonroot
COPY --from=build-sqlx /home/nonroot/.cargo/bin/sqlx /usr/local/bin/sqlx
COPY migrations /migrations
HEALTHCHECK NONE
ENTRYPOINT ["/usr/local/bin/sqlx"]

# # For now we use sqlx for DB migration, later we may switch to atlas.
# # checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# FROM arigaio/atlas:0.10.1 AS db-migration
# COPY migrations /migrations
3 changes: 2 additions & 1 deletion charts/cdviz-collector/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,8 @@ dbMigration:
repository: ghcr.io/davidb/cdviz-dbmigration
pullPolicy: IfNotPresent
tag: ""
annotations: {}
annotations:
{}
# "helm.sh/hook": post-install,post-upgrade
# "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

Expand Down
10 changes: 7 additions & 3 deletions justfile
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,8 @@ deny: _install_cargo-deny
cargo deny check advisories
cargo deny check bans licenses sources

# Lint all the code (via runing megalinter locally + `lint_rust`)
lint: lint_rust
docker run --pull always --rm -it -v "$PWD:/tmp/lint:rw" "megalinter/megalinter:v7"
# Lint all the code (megalinter + lint_rust)
lint: lint_rust megalinter

# Lint the rust code
lint_rust:
Expand All @@ -60,6 +59,11 @@ lint_rust:
# cargo sort --workspace --grouped --check
cargo clippy --workspace --all-features --all-targets -- --deny warnings --allow deprecated --allow unknown-lints

# Lint with megalinter (locally via docker)
megalinter:
# rm -rf megalinter-reports
docker run --rm --name megalinter -it --env "DEFAULT_WORKSPACE=/tmp/lint" -v "${DOCKER_HOST:-/var/run/docker.sock}:/var/run/docker.sock:rw" -v "$PWD:/tmp/lint:rw" "oxsecurity/megalinter:v7"

# Launch tests
test: _install_cargo-nextest
cargo nextest run
Expand Down

0 comments on commit fe2f8b5

Please sign in to comment.