Merge pull request #62 from padok-team/feat/docker

feat(docker): allow install with Docker
padok-team · Nov 8, 2024 · d2fa491 · d2fa491
2 parents 5dbddf8 + 7d9b98e
commit d2fa491
Show file tree

Hide file tree

Showing 6 changed files with 170 additions and 18 deletions.
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -0,0 +1,61 @@
+name: Build and Push
+
+on:
+  workflow_call:
+
+env:
+  GO_VERSION: 1.23
+
+jobs:
+  build-and-push:
+    name: Build and Push
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Get ldflags env values
+        run: |
+          echo "VERSION=$( echo ${{ github.head_ref || github.ref_name }} | tr '/' '-' )" >> $GITHUB_ENV
+          echo "BUILD_TIMESTAMP=$(date +'%s')" >> $GITHUB_ENV
+
+      - name: Get Docker metadata
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,format=long,prefix=
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Login to GHCR
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ env.VERSION }}
+            BUILD_TIMESTAMP=${{ env.BUILD_TIMESTAMP }}
+            COMMIT_HASH=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/ci.yml → .github/workflows/ci.yaml b/.github/workflows/ci.yml → .github/workflows/ci.yaml
@@ -82,20 +82,4 @@ jobs:
   build:
     name: Build
 
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Setup Golang
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
-        with:
-          go-version: "${{ env.GO_VERSION }}"
-
-      - name: Get ldflags env values
-        run: |
-          echo "VERSION=ci-$( echo ${{ github.head_ref || github.ref_name }} | tr '/' '-' )" >> $GITHUB_ENV
-
-      - name: Build binary
-        run: make build
+    uses: ./.github/workflows/build-and-push.yaml
diff --git a/.github/workflows/release.yml → .github/workflows/release.yaml b/.github/workflows/release.yml → .github/workflows/release.yaml
@@ -42,3 +42,8 @@ jobs:
         with:
           version: "~> 2"
           args: release --clean
+
+  build-and-push:
+    name: Build and Push
+
+    uses: ./.github/workflows/build-and-push.yaml
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,88 @@
+# Build git-secret-scanner binary
+FROM docker.io/library/golang:1.23.3@sha256:d56c3e08fe5b27729ee3834854ae8f7015af48fd651cd25d1e3bcf3c19830174 AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG PACKAGE=github.com/padok-team/git-secret-scanner
+ARG VERSION
+ARG COMMIT_HASH
+ARG BUILD_TIMESTAMP
+
+WORKDIR /workspace
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# Cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY cmd/ cmd/
+COPY internal/ internal/
+COPY main.go main.go
+
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a \
+    -ldflags="\
+    -X ${PACKAGE}/internal/version.Version=${VERSION} \
+    -X ${PACKAGE}/internal/version.CommitHash=${COMMIT_HASH} \
+    -X ${PACKAGE}/internal/version.BuildTimestamp=${BUILD_TIMESTAMP}" \
+    -o bin/git-secret-scanner main.go
+
+# ---
+
+# Retrieve gitleaks binary
+FROM ghcr.io/gitleaks/gitleaks:v8.21.2@sha256:0e99e8821643ea5b235718642b93bb32486af9c8162c8b8731f7cbdc951a7f46 AS gitleaks
+
+# ---
+
+# Retrieve trufflehog binary
+FROM docker.io/trufflesecurity/trufflehog:v3.82.13@sha256:9abf17c8902d58c05d82f910cf5dec05d100912482e8002d88918511fb44b6f6 AS trufflehog
+
+# ---
+
+# Build the final image
+FROM docker.io/library/alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d
+
+WORKDIR /home/git-secret-scanner
+
+ENV UID=65532
+ENV GID=65532
+ENV USER=git-secret-scanner
+ENV GROUP=git-secret-scanner
+
+# Install required packages
+RUN apk update --no-cache
+RUN apk add --no-cache \
+    bash \
+    git \
+    binutils
+
+# Create a non-root user to run the app
+RUN addgroup -g $GID $GROUP
+RUN adduser \
+    --disabled-password \
+    --no-create-home \
+    --home $(pwd) \
+    --uid $UID \
+    --ingroup $GROUP \
+    $USER
+
+# Copy the scanners to the production image from the scanners stage
+COPY --from=gitleaks --chmod=511 /usr/bin/gitleaks /usr/local/bin/gitleaks
+COPY --from=trufflehog --chmod=511 /usr/bin/trufflehog /usr/local/bin/trufflehog
+
+# Copy the binary to the production image from the builder stage
+COPY --from=builder --chmod=511 /workspace/bin/git-secret-scanner /usr/local/bin/git-secret-scanner
+
+# Use an unprivileged user
+USER 65532:65532
+
+# Run git-secret-scanner on container startup
+ENTRYPOINT ["/usr/local/bin/git-secret-scanner"]
diff --git a/README.md b/README.md
@@ -43,6 +43,14 @@ brew tap padok-team/tap
 brew install git-secret-scanner
 ```
 
+### With Docker
+
+`git-secret-scanner` is prepackaged in a Docker image with all required dependencies.
+
+```shell
+docker run --rm -it -v "$(pwd):/home/git-secret-scanner" ghcr.io/padok-team/git-secret-scanner github -o "<org>"
+```
+
 ### With binary
 
 Download the binary for your platform and OS on the [realeases page](https://github.com/zricethezav/gitleaks/releases).
@@ -70,7 +78,7 @@ To get detailed usage information about how to use this tool, run
 git-secret-scanner --help
 ```
 
-### Simple
+### Basics
 
 Add a personal access token ([GitHub](https://docs.github.com/en/enterprise-server@3.4/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) / [Gitlab](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)) for your git SaaS in your environment variables.
 

diff --git a/renovate.json b/renovate.json
@@ -10,6 +10,12 @@
         "/gomod/"
       ]
     },
+    {
+      "groupName": "docker",
+      "matchPackageNames": [
+        "/docker/"
+      ]
+    },
     {
       "groupName": "github",
       "matchPackageNames": [