Merge branch 'master' into snyk-fix-bc483956510817c8e9fdbb6ef39b93b8

tenable · Sep 22, 2023 · 65c4dee · 65c4dee
2 parents 62bead6 + 9e99f08
commit 65c4dee
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 28 deletions.
diff --git a/.github/workflows/gobuild.yml b/.github/workflows/gobuild.yml
@@ -19,10 +19,10 @@ jobs:
       GOOGLE_APPLICATION_CREDENTIALS_TEST_SECRET: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_TEST_KEY }}
     steps:
       - name: Checkout Terrascan
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -60,22 +60,21 @@ jobs:
     needs: validate
 
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
 
     steps:
       - name: Checkout Terrascan
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Build Terrascan docker image
-        run: make docker-build
+      - uses: docker/setup-qemu-action@v2
 
       - name: Login to Docker Hub
         uses: docker/login-action@v2
-        if: ${{ github.ref == 'refs/heads/master' }}
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Push Terrascan latest docker image
-        if: ${{ github.ref == 'refs/heads/master' }}
-        run: make docker-push-latest
+      - name: Build and push Terrascan latest docker image
+        run: make docker-build-push-latest
+        env:
+          MULTIPLATFORM: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,11 +13,11 @@ jobs:
       GO_VERSION: 1.19
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Run GoReleaser
@@ -34,19 +34,20 @@ jobs:
 
     steps:
       - name: Checkout Terrascan
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Build Terrascan docker image
-        run: make docker-build
+      - uses: docker/setup-qemu-action@v2
 
       - name: Login to Docker Hub
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Push Terrascan latest tag docker image
-        run: make docker-push-latest-tag
+      - name: Build and Push Terrascan latest tag docker image
+        run: make docker-build-push-latest-tag
+        env:
+          MULTIPLATFORM: true
 
       - name: Build terrascan_atlantis docker image
         run: make atlantis-docker-build

diff --git a/Makefile b/Makefile
@@ -108,12 +108,19 @@ install-kind:
 docker-build:
 	./scripts/docker-build.sh
 
+# build and push latest terrascan docker image
+docker-build-push-latest:
+	./scripts/docker-build.sh latest
+
+# build and push release tag terrascan docker image
+docker-build-push-latest-tag:
+	./scripts/docker-build.sh tag
+
 
 # push terrascan docker image
 docker-push:
 	./scripts/docker-push.sh
 
-
 # push latest terrascan docker image
 docker-push-latest:
 	./scripts/docker-push-latest.sh

diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,23 +1,20 @@
 # -------- builder stage -------- #
 FROM golang:alpine AS builder
 
-ARG GOOS_VAL=linux
-ARG GOARCH_VAL=amd64
-ARG CGO_ENABLED_VAL=1
+ARG CGO_ENABLED_VAL=0
 
 WORKDIR $GOPATH/src/terrascan
 
 # download go dependencies
 COPY go.mod go.sum ./
 RUN go mod download
-RUN apk add -U build-base
+RUN apk update && apk add --no-cache --update build-base git
 
 # copy terrascan source
 COPY . .
 
 # build binary
-RUN apk update && apk add git && \
-    CGO_ENABLED=${CGO_ENABLED_VAL} GOOS=${GOOS_VAL} GOARCH=${GOARCH_VAL} go build -v -ldflags "-w -s" -o /go/bin/terrascan ./cmd/terrascan
+RUN CGO_ENABLED=${CGO_ENABLED_VAL} go build -v -ldflags "-w -s" -o /go/bin/terrascan ./cmd/terrascan
 
 
 # -------- prod stage -------- #

diff --git a/scripts/docker-build.sh b/scripts/docker-build.sh
@@ -1,15 +1,45 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -o errexit
 set -o nounset
 set -o pipefail
 
-GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
 DOCKER_REPO="tenable/terrascan"
 DOCKERFILE="./build/Dockerfile"
 
-docker buildx create --platform linux/amd64,linux/arm64 --name terrascan-builder --use
+if [ $# -eq 0 ]; then
+  LABEL=$(git rev-parse --short HEAD 2>/dev/null)
+elif [ $# -eq 1 ]; then
+  case "$1" in
+    latest)
+      LABEL="latest"
+      ;;
+    tag)
+      LATEST_TAG=$(git describe --abbrev=0 --tags)
+      LABEL=$(echo "${LATEST_TAG//v}")
+      ;;
+      *)
+  esac
+fi
 
-docker buildx build -t ${DOCKER_REPO}:${GIT_COMMIT} -f ${DOCKERFILE} . --load
+if [ "${LABEL-false}" = "false" ]; then
+  echo "Usage:"
+  echo "  $0          ->  label is the git commit"
+  echo "  $0  tag     ->  label is the latest tag"
+  echo "  $0  latest  ->  label is 'latest'"
+  exit 1
+fi
+
+declare -a PLATFORM
+if [ "${MULTIPLATFORM-false}" = "true" ]; then
+  OUTPUT_TYPE="--push"
+  PLATFORM=("--platform" "linux/amd64,linux/arm64")
+else
+  OUTPUT_TYPE="--load"
+fi
+
+docker buildx create "${PLATFORM[@]}" --name terrascan-builder --use
+
+docker buildx build --provenance=false "${OUTPUT_TYPE}" "${PLATFORM[@]}" -t "${DOCKER_REPO}:${LABEL}" -f "${DOCKERFILE}" .
 
 docker buildx rm terrascan-builder