Skip to content

Comments

Run angularjs-csti As User In Container#852

Merged
malexmave merged 8 commits intomainfrom
maintenance/container-user-angularjs-csti
Dec 1, 2021
Merged

Run angularjs-csti As User In Container#852
malexmave merged 8 commits intomainfrom
maintenance/container-user-angularjs-csti

Conversation

@Ilyesbdlala
Copy link
Member

@Ilyesbdlala Ilyesbdlala commented Dec 1, 2021

angularjs-csti scanner now runs as NonRoot

  • A new user is added to the docker image
  • Path to wrapper.sh is changed to new user's
    home directory
    It should be noted that angularjs-csti currently does not have any integration tests. So testing was done manually.
    See: Dedicated User For Scanner Images #286

* A new user is added to the docker image
* Path to wrapper.sh is changed to new user's
home directory

Signed-off-by: Ilyes Ben Dlala <[email protected]>
@Ilyesbdlala Ilyesbdlala added scanner Implement or update a security scanner maintenance labels Dec 1, 2021
@Ilyesbdlala Ilyesbdlala self-assigned this Dec 1, 2021
@Ilyesbdlala Ilyesbdlala mentioned this pull request Dec 1, 2021
7 tasks
the same archive was installed twice by mistake
this resolves that

Signed-off-by: Ilyes Ben Dlala <[email protected]>
@Ilyesbdlala Ilyesbdlala requested a review from malexmave December 1, 2021 11:22
@malexmave
Copy link
Member

@Ilyesbdlala can you double-check if the documentation requires updates as well because the paths changed? From a quick look, it seems like we have some references to absolute paths in the docs that may require changing.

Ilyesbdlala and others added 3 commits December 1, 2021 15:30
* the mount path for the config volume is corrected
* readOnlyRootFileSystem in values is set to false to allow
writing the config file (see wrapper.sh)

Signed-off-by: Ilyes Ben Dlala <[email protected]>
this is the path to the volume mounted. to allow a config map to be
used with angularjs-csti-scanner.

Signed-off-by: Ilyes Ben Dlala <[email protected]>
Signed-off-by: GitHub Actions <[email protected]>
@Ilyesbdlala
Copy link
Member Author

This PR also sets readOnlyRootFileSystem in values.yaml is to false to allow the wrapper.sh to write to the config file.
This is for now required to enable using external configs.
It should be noted that the angularjs-csti is currently borked in the main repo. This is due to runAsNonRoot and readOnlyRootFilesystem both being set to true. This PR allows the scanner to run as non root.
See also : #723

@Ilyesbdlala Ilyesbdlala linked an issue Dec 1, 2021 that may be closed by this pull request
7 tasks
Copy link
Member

@malexmave malexmave left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested, works on my machine (runs and also accepts and honors config files).

@malexmave malexmave enabled auto-merge December 1, 2021 15:04
@malexmave malexmave merged commit 151c59b into main Dec 1, 2021
@malexmave malexmave deleted the maintenance/container-user-angularjs-csti branch December 1, 2021 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

maintenance scanner Implement or update a security scanner

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Dedicated User For Scanner Images

2 participants