Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Add hadolint check for Dockerfiles #322

Merged
merged 5 commits into from
Jan 11, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -72,8 +72,8 @@ sudo apt install -y datamash
### Run via Docker

```bash
# Build `pre-commit` image
docker build -t pre-commit --build-arg INSTALL_ALL=true .
# Build `pre-commit-terraform` image
docker build -t pre-commit-terraform --build-arg INSTALL_ALL=true .
MaxymVlasov marked this conversation as resolved.
Show resolved Hide resolved
# Build test image
docker build -t pre-commit-tests tests/
# Run
17 changes: 15 additions & 2 deletions .github/workflows/pre-commit.yaml
Original file line number Diff line number Diff line change
@@ -25,19 +25,32 @@ jobs:
- name: Install shellcheck
run: |
sudo apt update && sudo apt install shellcheck

- name: Install hadolint
run: |
curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \
&& chmod +x hadolint && sudo mv hadolint /usr/bin/
MaxymVlasov marked this conversation as resolved.
Show resolved Hide resolved
# Need to success pre-commit fix push
- uses: actions/checkout@v2
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}

# Skip terraform_tflint which interferes to commit pre-commit auto-fixes
- uses: actions/setup-python@v2
with:
python-version: '3.9'
- name: Execute pre-commit
uses: pre-commit/[email protected]
env:
SKIP: no-commit-to-branch
SKIP: no-commit-to-branch,hadolint
with:
token: ${{ secrets.GITHUB_TOKEN }}
extra_args: --color=always --show-diff-on-failure --files ${{ steps.file_changes.outputs.files }}
# Run only skipped checks
- name: Execute pre-commit check that have no auto-fixes
if: always()
uses: pre-commit/[email protected]
env:
SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck
yermulnik marked this conversation as resolved.
Show resolved Hide resolved
with:
extra_args: --color=always --show-diff-on-failure --files ${{ steps.file_changes.outputs.files }}
17 changes: 16 additions & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
rev: v4.1.0
hooks:
# Git style
- id: check-added-large-files
@@ -34,3 +34,18 @@ repos:
- id: shfmt
args: ['-l', '-i', '2', '-ci', '-sr', '-w']
- id: shellcheck

# Dockerfile linter
- repo: https://github.com/hadolint/hadolint
rev: v2.8.0
hooks:
- id: hadolint
args: [
'--ignore', 'DL3027', # Do not use apt
'--ignore', 'DL3007', # Using latest
'--ignore', 'DL4006', # Not related to alpine
'--ignore', 'SC1091', # Useless check
'--ignore', 'SC2015', # Useless check
'--ignore', 'SC3037', # Not related to alpine
'--ignore', 'DL3013', # Pin versions in pip
]
20 changes: 10 additions & 10 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
ARG TAG=3.9.7-alpine3.14
ARG TAG=3.10.1-alpine3.15
FROM python:${TAG} as builder

WORKDIR /bin_dir

RUN apk add --no-cache \
# Builder deps
curl \
unzip && \
curl=~7 \
unzip=~6 && \
# Upgrade pip for be able get latest Checkov
python3 -m pip install --upgrade pip
python3 -m pip install --no-cache-dir --upgrade pip

ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest}
@@ -57,7 +57,7 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
RUN . /.env && \
if [ "$CHECKOV_VERSION" != "false" ]; then \
( \
apk add --no-cache gcc libffi-dev musl-dev; \
apk add --no-cache gcc=~10 libffi-dev=~3 musl-dev=~1; \
[ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \
|| pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \
apk del gcc libffi-dev musl-dev \
@@ -146,9 +146,9 @@ FROM python:${TAG}

RUN apk add --no-cache \
# pre-commit deps
git \
git=~2 \
# All hooks deps
bash
bash=~5

# Copy tools
COPY --from=builder \
@@ -159,16 +159,16 @@ COPY --from=builder \
/usr/local/bin/checkov* \
/usr/bin/
# Copy pre-commit packages
COPY --from=builder /usr/local/lib/python3.9/site-packages/ /usr/local/lib/python3.9/site-packages/
COPY --from=builder /usr/local/lib/python3.10/site-packages/ /usr/local/lib/python3.10/site-packages/
# Copy terrascan policies
COPY --from=builder /root/ /root/

# Install hooks extra deps
RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
apk add --no-cache perl \
apk add --no-cache perl=~5 \
; fi && \
if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
apk add --no-cache jq \
apk add --no-cache jq=~1 \
; fi

ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always}
4 changes: 2 additions & 2 deletions hooks/infracost_breakdown.sh
Original file line number Diff line number Diff line change
@@ -73,8 +73,8 @@ function infracost_breakdown_ {
}; then
check="${check:1:-1}"
fi
# shellcheck disable=SC2207 # Can't find working `read` command
operations=($(echo "$check" | grep -oE '[!<>=]{1,2}'))

mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}')
antonbabenko marked this conversation as resolved.
Show resolved Hide resolved
# Get the very last operator, that is used in comparison inside `jq` query.
# From the example below we need to pick the `>` which is in between `add` and `1000`,
# but not the `!=`, which goes earlier in the `jq` expression
2 changes: 1 addition & 1 deletion tests/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM pre-commit
FROM pre-commit-terraform:latest

RUN apt update && \
apt install -y \