diff --git a/.github/workflows/cron-scorecards-analysis.yaml b/.github/workflows/cron-scorecards-analysis.yaml index cd54e475dd4..3c6d8230a0b 100644 --- a/.github/workflows/cron-scorecards-analysis.yaml +++ b/.github/workflows/cron-scorecards-analysis.yaml @@ -3,8 +3,10 @@ # https://openssf.org/blog/2022/01/19/reducing-security-risks-in-open-source-software-at-scale-scorecards-launches-v4/ name: Scorecards supply-chain security on: - # Only the default branch is supported. - branch_protection_rule: + push: + # Only the default branch is supported. + branches: + - main schedule: # Weekly on Saturdays. - cron: '30 1 * * 6' @@ -31,29 +33,20 @@ jobs: - name: "Run analysis" uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 with: - results_file: scorecard-results.sarif + results_file: results.sarif results_format: sarif - # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional. - repo_token: ${{ secrets.SCORECARD_TOKEN }} - # - # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless - # of the value entered here. publish_results: true - name: "Upload artifact" uses: actions/upload-artifact@v4 with: name: SARIF file - path: scorecard-results.sarif + path: results.sarif retention-days: 7 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: scorecard-results.sarif + sarif_file: results.sarif category: ossf-scorecard diff --git a/dockerfiles/Dockerfile b/dockerfiles/Dockerfile index feb84bb49d1..f068611e654 100644 --- a/dockerfiles/Dockerfile +++ b/dockerfiles/Dockerfile @@ -1,3 +1,5 @@ +# syntax=docker/dockerfile:1 +# check=skip=InvalidBaseImagePlatform # To use this container you may need to do the following: # https://askubuntu.com/a/1369504 @@ -14,10 +16,10 @@ ARG RELEASE_VERSION=3.1.7 # For multi-arch builds - assumption is running on an AMD64 host -FROM multiarch/qemu-user-static:x86_64-arm as qemu-arm32 -FROM multiarch/qemu-user-static:x86_64-aarch64 as qemu-arm64 +FROM multiarch/qemu-user-static:x86_64-arm AS qemu-arm32 +FROM multiarch/qemu-user-static:x86_64-aarch64 AS qemu-arm64 -FROM debian:bookworm-slim as builder-base +FROM debian:bookworm-slim AS builder-base COPY --from=qemu-arm32 /usr/bin/qemu-arm-static /usr/bin/ COPY --from=qemu-arm64 /usr/bin/qemu-aarch64-static /usr/bin/ @@ -30,7 +32,7 @@ ENV FLB_CHUNK_TRACE=${FLB_CHUNK_TRACE} RUN mkdir -p /fluent-bit/bin /fluent-bit/etc /fluent-bit/log -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive # hadolint ignore=DL3008 RUN echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list && \ @@ -61,7 +63,7 @@ WORKDIR /src/fluent-bit/ COPY . ./ # We split the builder setup out so people can target it or use as a base image without doing a full build. -FROM builder-base as builder +FROM builder-base AS builder WORKDIR /src/fluent-bit/build/ RUN cmake -DFLB_RELEASE=On \ -DFLB_JEMALLOC=On \ @@ -97,7 +99,7 @@ RUN /fluent-bit/bin/fluent-bit -J > /fluent-bit/etc/schema.json # Simple example of how to properly extract packages for reuse in distroless # Taken from: https://github.com/GoogleContainerTools/distroless/issues/863 -FROM debian:bookworm-slim as deb-extractor +FROM debian:bookworm-slim AS deb-extractor COPY --from=qemu-arm32 /usr/bin/qemu-arm-static /usr/bin/ COPY --from=qemu-arm64 /usr/bin/qemu-aarch64-static /usr/bin/ @@ -154,7 +156,7 @@ RUN find /dpkg/ -type d -empty -delete && \ # We want latest at time of build # hadolint ignore=DL3006 -FROM gcr.io/distroless/cc-debian12 as production +FROM gcr.io/distroless/cc-debian12 AS production ARG RELEASE_VERSION ENV FLUENT_BIT_VERSION=${RELEASE_VERSION} LABEL description="Fluent Bit multi-architecture container image" \ @@ -185,7 +187,7 @@ EXPOSE 2020 ENTRYPOINT [ "/fluent-bit/bin/fluent-bit" ] CMD ["/fluent-bit/bin/fluent-bit", "-c", "/fluent-bit/etc/fluent-bit.conf"] -FROM debian:bookworm-slim as debug +FROM debian:bookworm-slim AS debug ARG RELEASE_VERSION ENV FLUENT_BIT_VERSION=${RELEASE_VERSION} LABEL description="Fluent Bit multi-architecture debug container image" \ @@ -203,7 +205,7 @@ LABEL description="Fluent Bit multi-architecture debug container image" \ COPY --from=qemu-arm32 /usr/bin/qemu-arm-static /usr/bin/ COPY --from=qemu-arm64 /usr/bin/qemu-aarch64-static /usr/bin/ -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive # hadolint ignore=DL3008 RUN echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list && \ diff --git a/dockerfiles/Dockerfile.windows b/dockerfiles/Dockerfile.windows index 8ffefe78e55..14c901c4776 100644 --- a/dockerfiles/Dockerfile.windows +++ b/dockerfiles/Dockerfile.windows @@ -14,7 +14,7 @@ ARG WINDOWS_VERSION=ltsc2019 # Builder Image - Windows Server Core -FROM mcr.microsoft.com/windows/servercore:$WINDOWS_VERSION as builder +FROM mcr.microsoft.com/windows/servercore:$WINDOWS_VERSION AS builder RUN setx /M PATH "%PATH%;C:\BuildTools\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin;C:\WinFlexBison;C:\dev\vcpkg" @@ -87,7 +87,7 @@ RUN New-Item -Path /fluent-bit/etc/ -ItemType "directory"; ` # # Runtime Image - Windows Server Core # -FROM mcr.microsoft.com/windows/servercore:$WINDOWS_VERSION as runtime +FROM mcr.microsoft.com/windows/servercore:$WINDOWS_VERSION AS runtime ARG FLUENTBIT_VERSION=master ARG IMAGE_CREATE_DATE