Skip to content

Instantly share code, notes, and snippets.

@garethr

garethr/Dockerfile

Created July 17, 2019 09:25
Show Gist options
  • Save garethr/4dbe92be73b71ce6d1a2afa124314f91 to your computer and use it in GitHub Desktop.
Save garethr/4dbe92be73b71ce6d1a2afa124314f91 to your computer and use it in GitHub Desktop.
Download ZIP
Use Snyk in a Docker build stage
Raw
_README.md

This example demonstrates how to run Snyk as part of a build target in a Docker build. This is useful when all workloads in a CI environment are run in containers. The example uses Python, but the general pattern should work for other toolsets as well.

$ docker build --build-arg SNYK_TOKEN=<your-token> --target Security .
Sending build context to Docker daemon  13.82kB

Step 1/18 : FROM python:3.7-alpine3.8 AS parent
 ---> f11f279751de
Step 2/18 : WORKDIR /app
 ---> Using cache
 ---> 15ea6a40787c
Step 3/18 : RUN pip3 install pipenv
 ---> Using cache
 ---> dc91d1b0b93a
Step 4/18 : FROM parent AS base
 ---> dc91d1b0b93a
Step 5/18 : RUN apk add --no-cache --update git=2.18.1-r0
 ---> Using cache
 ---> c389f3820f07
Step 6/18 : COPY Pipfile /app/
 ---> Using cache
 ---> 4ad53282ce3d
Step 7/18 : COPY Pipfile.lock /app/
 ---> Using cache
 ---> b3529f2992de
Step 8/18 : RUN pipenv install --deploy --system
 ---> Using cache
 ---> 55e4c01cc00a
Step 9/18 : COPY src /app
 ---> Using cache
 ---> 75f6bb916069
Step 10/18 : FROM parent as Security
 ---> dc91d1b0b93a
Step 11/18 : ARG SNYK_TOKEN
 ---> Using cache
 ---> c44d2b80fbc4
Step 12/18 : RUN apk add --no-cache curl wget gcc
 ---> Using cache
 ---> e0a35f2f82ff
Step 13/18 : RUN curl -s https://api.github.com/repos/snyk/snyk/releases/latest | grep "browser_download_url" | grep alpine | cut -d '"' -f 4 | wget -i - &&     sha256sum -c snyk-alpine.sha256 &&     mv snyk-alpine /usr/local/bin/snyk &&     chmod +x /usr/local/bin/snyk
 ---> Using cache
 ---> b3ae567a9986
Step 14/18 : COPY Pipfile /app/
 ---> Using cache
 ---> f5bf0025415d
Step 15/18 : COPY Pipfile.lock /app/
 ---> Using cache
 ---> 6f6cf278c567
Step 16/18 : RUN pipenv install
 ---> Using cache
 ---> 9e6f31d04b16
Step 17/18 : COPY src /app
 ---> Using cache
 ---> 4c9197d98332
Step 18/18 : RUN /usr/local/bin/snyk test
 ---> Running in 7ae3e4e777ec

Testing /app...

✗ High severity vulnerability found in flask
  Description: Improper Input Validation
  Info: https://snyk.io/vuln/SNYK-PYTHON-FLASK-42185
  Introduced through: flask@0.12
  From: flask@0.12




Organisation:      garethr
Package manager:   pip
Target file:       Pipfile
Open source:       no
Project path:      /app

Tested 7 dependencies for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.
Raw
Dockerfile
FROM python:3.7-alpine3.8 AS parent
WORKDIR /app
RUN pip3 install pipenv
FROM parent AS base
COPY Pipfile /app/
COPY Pipfile.lock /app/
RUN pipenv install --deploy --system
COPY src /app
FROM parent as Security
ARG SNYK_TOKEN
RUN apk add --no-cache curl wget gcc
RUN curl -s https://api.github.com/repos/snyk/snyk/releases/latest | grep "browser_download_url" | grep alpine | cut -d '"' -f 4 | wget -i - && \
sha256sum -c snyk-alpine.sha256 && \
mv snyk-alpine /usr/local/bin/snyk && \
chmod +x /usr/local/bin/snyk
COPY Pipfile /app/
COPY Pipfile.lock /app/
RUN pipenv install
COPY src /app
RUN /usr/local/bin/snyk test
FROM base AS release
EXPOSE 5000
CMD ["gunicorn", "-b", ":5000", "app:app"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment