Skip to content

Comments

Run angularjs-csti As User In Container#852

Merged
malexmave merged 8 commits intomainfrom
maintenance/container-user-angularjs-csti
Dec 1, 2021
Merged

Run angularjs-csti As User In Container#852
malexmave merged 8 commits intomainfrom
maintenance/container-user-angularjs-csti

Conversation

@Ilyesbdlala
Copy link
Member

@Ilyesbdlala Ilyesbdlala commented Dec 1, 2021
edited
Loading

angularjs-csti scanner now runs as NonRoot

  • A new user is added to the docker image
  • Path to wrapper.sh is changed to new user's
    home directory
    It should be noted that angularjs-csti currently does not have any integration tests. So testing was done manually.
    See: Dedicated User For Scanner Images #286

@Ilyesbdlala
angularjs-csti scanner now runs as NonRoot
ed9ff50 
* A new user is added to the docker image
* Path to wrapper.sh is changed to new user's
home directory

Signed-off-by: Ilyes Ben Dlala <[email protected]>
@Ilyesbdlala Ilyesbdlala added scanner Implement or update a security scanner maintenance labels Dec 1, 2021
@Ilyesbdlala Ilyesbdlala self-assigned this Dec 1, 2021
@Ilyesbdlala Ilyesbdlala mentioned this pull request Dec 1, 2021
Closed
7 tasks
malexmave
malexmave reviewed Dec 1, 2021
View reviewed changes
@Ilyesbdlala
Removed redundent pip install
ca9ae53 
the same archive was installed twice by mistake
this resolves that

Signed-off-by: Ilyes Ben Dlala <[email protected]>
@Ilyesbdlala Ilyesbdlala requested a review from malexmave December 1, 2021 11:22
@malexmave
Copy link
Member

malexmave commented Dec 1, 2021

@Ilyesbdlala can you double-check if the documentation requires updates as well because the paths changed? From a quick look, it seems like we have some references to absolute paths in the docs that may require changing.

Ilyesbdlala and others added 3 commits December 1, 2021 15:30
@Ilyesbdlala
Allows using angularjscsti's configs
a43c64b 
* the mount path for the config volume is corrected
* readOnlyRootFileSystem in values is set to false to allow
writing the config file (see wrapper.sh)

Signed-off-by: Ilyes Ben Dlala <[email protected]>
@Ilyesbdlala
corrects the config file mount path of acstis scanner in docs
2733ef0 
this is the path to the volume mounted. to allow a config map to be
used with angularjs-csti-scanner.

Signed-off-by: Ilyes Ben Dlala <[email protected]>
@Ilyesbdlala @secureCodeBoxBot
Updating Helm Docs
7e520e0 
Signed-off-by: GitHub Actions <[email protected]>
@Ilyesbdlala
Copy link
Member Author

Ilyesbdlala commented Dec 1, 2021

This PR also sets readOnlyRootFileSystem in values.yaml is to false to allow the wrapper.sh to write to the config file.
This is for now required to enable using external configs.
It should be noted that the angularjs-csti is currently borked in the main repo. This is due to runAsNonRoot and readOnlyRootFilesystem both being set to true. This PR allows the scanner to run as non root.
See also : #723

@Ilyesbdlala Ilyesbdlala linked an issue Dec 1, 2021 that may be closed by this pull request
Dedicated User For Scanner Images #286
Closed
7 tasks
malexmave
malexmave approved these changes Dec 1, 2021
View reviewed changes
Copy link
Member

@malexmave malexmave left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested, works on my machine (runs and also accepts and honors config files).

@malexmave malexmave enabled auto-merge December 1, 2021 15:04
@malexmave malexmave merged commit 151c59b into main Dec 1, 2021
@malexmave malexmave deleted the maintenance/container-user-angularjs-csti branch December 1, 2021 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@malexmave malexmave malexmave approved these changes

Assignees

@Ilyesbdlala Ilyesbdlala

Labels

maintenance scanner Implement or update a security scanner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dedicated User For Scanner Images

2 participants

@Ilyesbdlala @malexmave