From fe2f8b5da954d15a7a6962d89e32999e21eda747 Mon Sep 17 00:00:00 2001 From: David Bernard Date: Wed, 3 Jan 2024 19:49:45 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=A8=20update=20configuration=20of=20me?= =?UTF-8?q?galinter=20+=20apply=20some=20suggestions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/mega-linter.yml | 2 +- .mega-linter.yml | 44 ++++++++++++++++++++++++++---- .trivyignore | 1 + .yamllint.yml | 4 +++ Dockerfile | 27 ++++++++++++++---- charts/cdviz-collector/values.yaml | 3 +- justfile | 10 +++++-- 7 files changed, 74 insertions(+), 17 deletions(-) create mode 100644 .trivyignore diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index be2882a..190c18b 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -98,7 +98,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: success() || failure() with: name: MegaLinter reports diff --git a/.mega-linter.yml b/.mega-linter.yml index ae35588..89603e5 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -1,21 +1,53 @@ # Configuration file for MegaLinter # See all available variables at https://megalinter.github.io/configuration/ and in linters documentation -APPLY_FIXES: all # all, none, or list of linter keys +APPLY_FIXES: none # all, none, or list of linter keys # ENABLE: # If you use ENABLE variable, all other languages/formats/tooling-formats will be disabled by default # ENABLE_LINTERS: # If you use ENABLE_LINTERS variable, all other linters will be disabled by default DISABLE: - COPYPASTE # Comment to enable checks of excessive copy-pastes - SPELL # Comment to enable checks of spelling mistakes DISABLE_LINTERS: - - MARKDOWN_MARKDOWN_LINK_CHECK - DOCKERFILE_DOCKERFILELINT - - RUST_CLIPPY - - REPOSITORY_DEVSKIM + - MARKDOWN_MARKDOWN_LINK_CHECK + - REPOSITORY_CHECKOV # unstable randomly failed (false negative) on generated k8s manifest + - REPOSITORY_DEVSKIM # issue with "git config --global --add safe.directory ..." + - REPOSITORY_GIT_DIFF + - REPOSITORY_GRYPE - REPOSITORY_KICS + - REPOSITORY_SYFT + - REPOSITORY_TRUFFLEHOG # too long to search for secret + - RUST_CLIPPY # run via an other way, and current version doesn't support `--deny ... --allow ...` + - SQL_TSQLLINT # "You must install or update .NET to run this application." SHOW_ELAPSED_TIME: true FILEIO_REPORTER: false # DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass -FILTER_REGEX_EXCLUDE: "(\\.lock)|(\\.ndjson)|(\\.pdf)|(\\.csv)|(\\.zip)|(\\.tar)|(\\.ipynb)|(license.*)|(LICENSE.*)" +FILTER_REGEX_EXCLUDE: "(megalinter-reports)|(cdevents-spec.*)|(.gitmodules)|(.sqlx)|(\\.lock)|(\\.ndjson)|(\\.pdf)|(\\.csv)|(\\.zip)|(\\.tar)|(\\.ipynb)|(license.*)|(LICENSE.*)" SPELL_FILTER_REGEX_INCLUDE: '\\.md$' -RUST_CLIPPY_ARGUMENTS: --workspace --all-features --all-targets -- --deny warnings --allow deprecated --allow unknown-lints +PRINT_ALPACA: false +REPOSITORY_SECRETLINT_ARGUMENTS: + - --secretlintignore + - .gitignore +REPOSITORY_TRIVY_ARGUMENTS: + # - --scanners + # - misconfig,vuln,secret + - --skip-files + - "skaffold.yaml" + # - "charts/**/*.tgz" + - --skip-dirs + - "charts/**/charts" +RUST_CLIPPY_ARGUMENTS: + - --workspace + - --all-features + - --all-targets + # - --deny warnings + # - --allow deprecated + # - --allow unknown-lints +YAML_FILTER_REGEX_EXCLUDE: (.*/templates) + +## Wait a fix for +# REPOSITORY_DEVSKIM_ARGUMENTS: +# - --ignore-globs +# - sqlx-data.json + +REPOSITORY_TRIVY_DISABLE_ERRORS: true # Too many false positive diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..abac7a8 --- /dev/null +++ b/.trivyignore @@ -0,0 +1 @@ +AVD-DS-0001 diff --git a/.yamllint.yml b/.yamllint.yml index e189906..c0df1cd 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -6,7 +6,11 @@ # # yamllint disable-line # ########################################### extends: default + +ignore: charts/**/templates/*.yaml + rules: + truthy: disable document-start: disable new-lines: level: warning diff --git a/Dockerfile b/Dockerfile index ed18418..b0b82a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,31 +1,46 @@ +# hadolint global ignore=DL3006 + +#--------------------------------------------------------------------------------------------------- # see https://edu.chainguard.dev/chainguard/chainguard-images/reference/rust/image_specs/ +# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag +# trivy:ignore:AVD-DS-0001 FROM cgr.dev/chainguard/rust as build ARG PROFILE=release +USER nonroot +WORKDIR /work COPY . . RUN cargo build "--$PROFILE" +HEALTHCHECK NONE +#--------------------------------------------------------------------------------------------------- # https://edu.chainguard.dev/chainguard/chainguard-images/reference/glibc-dynamic/image_specs/ # checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag +# trivy:ignore:AVD-DS-0001 FROM cgr.dev/chainguard/glibc-dynamic as cdviz-collector ARG PROFILE=release +USER nonroot COPY --from=build /work/target/${PROFILE}/cdviz-collector /usr/local/bin/cdviz-collector ENV \ OTEL_EXPORTER_OTLP_TRACES_ENDPOINT="http://127.0.0.1:4317" \ OTEL_TRACES_SAMPLER="always_off" - +HEALTHCHECK NONE CMD ["cdviz-collector"] +#--------------------------------------------------------------------------------------------------- +# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag +# trivy:ignore:AVD-DS-0001 FROM cgr.dev/chainguard/rust as build-sqlx +USER nonroot RUN cargo install sqlx-cli --no-default-features --features rustls,postgres +HEALTHCHECK NONE +#--------------------------------------------------------------------------------------------------- # checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag +# trivy:ignore:AVD-DS-0001 FROM cgr.dev/chainguard/glibc-dynamic AS cdviz-dbmigration +USER nonroot COPY --from=build-sqlx /home/nonroot/.cargo/bin/sqlx /usr/local/bin/sqlx COPY migrations /migrations +HEALTHCHECK NONE ENTRYPOINT ["/usr/local/bin/sqlx"] - -# # For now we use sqlx for DB migration, later we may switch to atlas. -# # checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag -# FROM arigaio/atlas:0.10.1 AS db-migration -# COPY migrations /migrations diff --git a/charts/cdviz-collector/values.yaml b/charts/cdviz-collector/values.yaml index 1c06d43..289f553 100644 --- a/charts/cdviz-collector/values.yaml +++ b/charts/cdviz-collector/values.yaml @@ -91,7 +91,8 @@ dbMigration: repository: ghcr.io/davidb/cdviz-dbmigration pullPolicy: IfNotPresent tag: "" - annotations: {} + annotations: + {} # "helm.sh/hook": post-install,post-upgrade # "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/justfile b/justfile index 7b84e2c..86035fe 100644 --- a/justfile +++ b/justfile @@ -49,9 +49,8 @@ deny: _install_cargo-deny cargo deny check advisories cargo deny check bans licenses sources -# Lint all the code (via runing megalinter locally + `lint_rust`) -lint: lint_rust - docker run --pull always --rm -it -v "$PWD:/tmp/lint:rw" "megalinter/megalinter:v7" +# Lint all the code (megalinter + lint_rust) +lint: lint_rust megalinter # Lint the rust code lint_rust: @@ -60,6 +59,11 @@ lint_rust: # cargo sort --workspace --grouped --check cargo clippy --workspace --all-features --all-targets -- --deny warnings --allow deprecated --allow unknown-lints +# Lint with megalinter (locally via docker) +megalinter: + # rm -rf megalinter-reports + docker run --rm --name megalinter -it --env "DEFAULT_WORKSPACE=/tmp/lint" -v "${DOCKER_HOST:-/var/run/docker.sock}:/var/run/docker.sock:rw" -v "$PWD:/tmp/lint:rw" "oxsecurity/megalinter:v7" + # Launch tests test: _install_cargo-nextest cargo nextest run