feature: Allow appending an arbitrary validation command to the built image

# Motivation

Some image building workflows involve a final `RUN` command that serves to in some way validate the built image before pushing it to a remote registry ([example](https://docs.docker.com/build/ci/github-actions/test-before-push/)).

For example, we may want to run a security scan of the image for CVEs using e.g. [trivy](https://github.com/aquasecurity/trivy), or perform a final confidence check on the image using e.g. [goss](https://github.com/goss-org/goss).

With Envbuilder, the built image is only available inside the running `envbuilder` container, so it can't be scanned easily by external processes.

# Solution

Allow appending an arbitrary RUN command to the Dockerfile produced by Envbuilder. An example of such a command could be:

```shell
RUN curl -fsSL -o /tmp/validate.sh https://host.internal/validate.sh && \
    chmod +x /tmp/validate.sh && \
    /tmp/validate.sh && \
    rm -f /tmp/validate.sh
```

# Alternatives

The above behaviour can be approximated with no code changes with the below:

- Append a RUN command to the Dockerfile containing the specific check(s) they wish to run, or 
- Add the required validation steps to `devcontainer.json` as e.g. `postCreateCommand`, or
- Create a specific devcontainer feature that runs the desired validation commands.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feature: Allow appending an arbitrary validation command to the built image #383

Motivation

Solution

Alternatives

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

feature: Allow appending an arbitrary validation command to the built image #383

Description

Motivation

Solution

Alternatives

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions