49 lines
1.8 KiB
Docker
49 lines
1.8 KiB
Docker
# dockerfiles/Dockerfile.quality-tools
|
|
FROM debian:bookworm-slim
|
|
|
|
ARG SONAR_SCANNER_VERSION=8.0.1.6346
|
|
ARG TRIVY_VERSION=0.70.0
|
|
ENV TRIVY_CACHE_DIR=/opt/trivy-cache
|
|
|
|
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
|
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
bash \
|
|
ca-certificates \
|
|
curl \
|
|
git \
|
|
jq \
|
|
unzip \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
&& groupadd --system quality-tools \
|
|
&& useradd --system --uid 65532 --gid quality-tools --home-dir /nonexistent --shell /usr/sbin/nologin quality-tools
|
|
|
|
RUN set -eux; \
|
|
scanner_zip="sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip"; \
|
|
base_url="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli"; \
|
|
curl -fsSL "${base_url}/${scanner_zip}" -o "/tmp/${scanner_zip}"; \
|
|
curl -fsSL "${base_url}/${scanner_zip}.sha256" -o "/tmp/${scanner_zip}.sha256"; \
|
|
printf '%s %s\n' "$(cat "/tmp/${scanner_zip}.sha256")" "/tmp/${scanner_zip}" | sha256sum -c -; \
|
|
unzip -q "/tmp/${scanner_zip}" -d /opt; \
|
|
ln -s "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}-linux-aarch64/bin/sonar-scanner" /usr/local/bin/sonar-scanner; \
|
|
rm -f "/tmp/${scanner_zip}" "/tmp/${scanner_zip}.sha256"
|
|
|
|
RUN set -eux; \
|
|
trivy_tgz="trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"; \
|
|
curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/${trivy_tgz}" -o "/tmp/${trivy_tgz}"; \
|
|
tar -C /usr/local/bin -xzf "/tmp/${trivy_tgz}" trivy; \
|
|
rm -f "/tmp/${trivy_tgz}"; \
|
|
trivy --version; \
|
|
sonar-scanner -v
|
|
|
|
RUN set -eux; \
|
|
mkdir -p "${TRIVY_CACHE_DIR}"; \
|
|
trivy image --download-db-only --cache-dir "${TRIVY_CACHE_DIR}"; \
|
|
chmod -R a+rX "${TRIVY_CACHE_DIR}"; \
|
|
mkdir -p /workspace; \
|
|
chown quality-tools:quality-tools /workspace
|
|
|
|
WORKDIR /workspace
|
|
USER quality-tools
|