Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(docker): add support for using external secrets for initialization phase #8197

Closed
wants to merge 25 commits into from

chore: remove unused saml_scim_client

9efcf00
Select commit
Loading
Failed to load commit list.
Closed

feat(docker): add support for using external secrets for initialization phase #8197

chore: remove unused saml_scim_client
9efcf00
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Sensitive Files Analyzer succeeded Jul 4, 2024 in 0s

DryRun Security

Details

Sensitive Files Analyzer Findings: 7 detected

⚠️ Potential Sensitive File docker-jans-all-in-one/Dockerfile (click for details)
Type Potential Sensitive File
Description Dockerfile changes can introduce security issues such as insecure base images, insecure file permissions, untrusted packages, etc.
Filename docker-jans-all-in-one/Dockerfile
CodeLink

jans/docker-jans-all-in-one/Dockerfile

Lines 58 to 64 in 9efcf00

# Assets sync
# ===========
ENV JANS_SOURCE_VERSION=d83bd17f860cefe5c6732b672127cbf55ad97f82
# note that as we're pulling from a monorepo (with multiple project in it)
# we are using partial-clone and sparse-checkout to get the assets
⚠️ Potential Sensitive File docker-jans-all-in-one/app/requirements.txt (click for details)
Type Potential Sensitive File
Description It is typical for Django applications to utilize requirements.txt files to manage their dependencies. A change in this file may indicate an addition of a library/dependency which could introduce additional risk to the application either through vulnerable code, expansion of the application's attack surface via additional routes, or malicious code.
Filename docker-jans-all-in-one/app/requirements.txt
CodeLink

jans/docker-jans-all-in-one/app/requirements.txt

Lines 6 to 10 in 9efcf00

ruamel.yaml==0.18.6
supervisor==4.2.5
pluggy==1.4.0
pem==23.1.0
/tmp/jans/jans-pycloudlib
⚠️ Potential Sensitive File docker-jans-auth-server/Dockerfile (click for details)
Type Potential Sensitive File
Description Dockerfile changes can introduce security issues such as insecure base images, insecure file permissions, untrusted packages, etc.
Filename docker-jans-auth-server/Dockerfile
CodeLink

jans/docker-jans-auth-server/Dockerfile

Lines 103 to 109 in 9efcf00

/app/static/rdbm \
/app/schema
ENV JANS_SOURCE_VERSION=d83bd17f860cefe5c6732b672127cbf55ad97f82
ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
# note that as we're pulling from a monorepo (with multiple project in it)
⚠️ Potential Sensitive File docker-jans-casa/Dockerfile (click for details)
Type Potential Sensitive File
Description Dockerfile changes can introduce security issues such as insecure base images, insecure file permissions, untrusted packages, etc.
Filename docker-jans-casa/Dockerfile
CodeLink

jans/docker-jans-casa/Dockerfile

Lines 56 to 62 in 9efcf00

# Assets sync
# ===========
ENV JANS_SOURCE_VERSION=d83bd17f860cefe5c6732b672127cbf55ad97f82
ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
ARG JANS_CASA_EXTRAS_DIR=jans-casa/extras
⚠️ Potential Sensitive File docker-jans-casa/Makefile (click for details)
Type Potential Sensitive File
Description Makefiles tend to influence the behavior of the executing program and can have security consequences if applied incorrectly. For example, having the ability to run commands that could be irreversible such as rm -rf /, changing file permissions, tampering with dependencies, and more.
Filename docker-jans-casa/Makefile
CodeLink

jans/docker-jans-casa/Makefile

Lines 1 to 25 in 9efcf00

IMAGE_VERSION?=$(shell grep -Po 'org.opencontainers.image.version="\K.*?(?=")' Dockerfile)_dev
IMAGE_URL=$(shell grep -Po 'org.opencontainers.image.url="\K.*?(?=")' Dockerfile)
IMAGE?=${IMAGE_URL}:${IMAGE_VERSION}
# pass extra args to the targets, for example:
#
# - `make build-dev ARGS="--no-cache"`
# - `make trivy-scan TRIVY_ARGS="-f json"`
# - `make grype-scan GRYPE_ARGS="-o json"`
ARGS?=
.PHONY: test clean all build-dev trivy-scan grype-scan
.DEFAULT_GOAL := build-dev
build-dev:
@echo "[I] Building OCI image ${IMAGE}"
@docker build --rm --force-rm ${ARGS} -t ${IMAGE} .
trivy-scan:
@echo "[I] Scanning OCI image ${IMAGE} using trivy"
@trivy image --scanners vuln ${ARGS} ${IMAGE}
grype-scan:
@echo "[I] Scanning OCI image ${IMAGE} using grype"
@grype -v ${ARGS} ${IMAGE}
⚠️ Potential Sensitive File docker-jans-certmanager/Dockerfile (click for details)
Type Potential Sensitive File
Description Dockerfile changes can introduce security issues such as insecure base images, insecure file permissions, untrusted packages, etc.
Filename docker-jans-certmanager/Dockerfile
CodeLink

jans/docker-jans-certmanager/Dockerfile

Lines 25 to 31 in 9efcf00

# Assets sync
# ===========
ENV JANS_SOURCE_VERSION=d83bd17f860cefe5c6732b672127cbf55ad97f82
# note that as we're pulling from a monorepo (with multiple project in it)
# we are using partial-clone and sparse-checkout to get the assets
⚠️ Potential Sensitive File docker-jans-config-api/Dockerfile (click for details)
Type Potential Sensitive File
Description Dockerfile changes can introduce security issues such as insecure base images, insecure file permissions, untrusted packages, etc.
Filename docker-jans-config-api/Dockerfile
CodeLink

jans/docker-jans-config-api/Dockerfile

Lines 78 to 84 in 9efcf00

# Assets sync
# ===========
ENV JANS_SOURCE_VERSION=d83bd17f860cefe5c6732b672127cbf55ad97f82
ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources
View more details on DryRunSecurity