Skip to content

Commit b63790a

Browse files
dflookdflook
committed
Add dockerfile and actions security linting
1 parent 2433674 commit b63790a

File tree

3 files changed

+24
-8
lines changed

3 files changed

+24
-8
lines changed

.github/workflows/test.yaml

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,14 @@ jobs:
9797
./actionlint
9898
./actionlint example_workflows/*.yaml
9999
100+
- name: Install the latest version of uv
101+
uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5
102+
- name: Actions Security Check
103+
env:
104+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
105+
run: |
106+
uvx zizmor --format plain .
107+
100108
- name: Lint CHANGELOG
101109
uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19
102110
with:
@@ -111,15 +119,19 @@ jobs:
111119
docs/*.md
112120
**/README.md
113121
114-
ensure-pinned-actions:
115-
runs-on: ubuntu-24.04
116-
steps:
117-
- name: Checkout code
118-
uses: actions/checkout@v4
119-
120-
- name: Ensure SHA pinned actions
122+
- name: ensure-sha-pinned-actions
121123
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3
122124
with:
123125
allowlist: |
124126
actions/
125127
dflook/
128+
129+
- name: Lint Dockerfile
130+
uses: hadolint/hadolint-action@v3.1.0
131+
with:
132+
dockerfile: ./image/Dockerfile
133+
134+
- name: Lint Dockerfile
135+
uses: hadolint/hadolint-action@v3.1.0
136+
with:
137+
dockerfile: ./image/Dockerfile-base

image/Dockerfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
# hadolint ignore=DL3007
12
FROM danielflook/terraform-github-actions-base:latest
23

34
ARG TARGETARCH
@@ -8,7 +9,7 @@ ARG VERSION=99.0.0
89
COPY src/ /tmp/src/
910
COPY setup.py /tmp
1011
RUN sed -i "s|version='.*'|version=\'${VERSION}\'|" /tmp/setup.py \
11-
&& pip install /tmp \
12+
&& pip install --no-cache-dir /tmp \
1213
&& rm -rf /tmp/src /tmp/setup.py
1314

1415
RUN if [ "$FETCH_CHECKSUMS" = "yes" ]; then \

image/Dockerfile-base

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
FROM golang:1.12.6 AS tfmask
22

3+
# hadolint ignore=DL3003
34
RUN git clone https://github.com/cloudposse/tfmask.git \
45
&& cd tfmask \
56
&& git checkout 9a15f421210397f2c321a57b5ed3d108a012a86d \
@@ -14,6 +15,8 @@ ENV TF_IN_AUTOMATION=true
1415
ENV TF_INPUT=false
1516
ENV TF_PLUGIN_CACHE_DIR=/usr/local/share/terraform/plugin-cache
1617

18+
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
19+
# hadolint ignore=DL3008
1720
RUN <<EOF
1821
apt-get update
1922
apt-get install --no-install-recommends -y \

0 commit comments

Comments
 (0)