Skip to content

SEC-1714: psql client 16 for v2 #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: v2
Choose a base branch
from
Open

SEC-1714: psql client 16 for v2 #26

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
ARG BUILD_DIR=/build

FROM debian:12-slim

ARG TARGETARCH
Expand All @@ -14,16 +16,16 @@

ENV DRUPAL_DB_NAME=drupal
ENV DRUPAL_DB_USER=drupal
ENV DRUPAL_DB_PASSWORD=drupal

Check warning on line 19 in Dockerfile

View workflow job for this annotation

GitHub Actions / build / build-push

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "DRUPAL_DB_PASSWORD")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV DRUPAL_TRUSTED_HOSTS='["drupal","localhost"]'
ENV POSTGRES_HOST=db
ENV MEMCACHED_HOST=memcached
ENV MEMCACHED_PORT=11211
ENV SOLR_HOST=solr
ENV SOLR_USERNAME=drupal
ENV SOLR_PASSWORD=drupal

Check warning on line 26 in Dockerfile

View workflow job for this annotation

GitHub Actions / build / build-push

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "SOLR_PASSWORD")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV JWT_KEY_TYPE=RS256

Check warning on line 27 in Dockerfile

View workflow job for this annotation

GitHub Actions / build / build-push

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "JWT_KEY_TYPE")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV JWT_KEY_FILE="/var/run/secrets/crayfish.key"

Check warning on line 28 in Dockerfile

View workflow job for this annotation

GitHub Actions / build / build-push

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "JWT_KEY_FILE")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV IIIF_URL=http://cantaloupe/iiif/2
ENV IIIF_INGRESS_URL=http://drupal/iiif/2
ENV ACTIVEMQ_HOST=activemq
Expand All @@ -42,6 +44,24 @@

COPY clear-cache /bin/clear-cache

ARG BUILD_DIR
RUN install -d /usr/share/postgresql-common/pgdg/
ADD --link --chmod=0555 \
--checksum=sha256:0144068502a1eddd2a0280ede10ef607d1ec592ce819940991203941564e8e76 \
https://www.postgresql.org/media/keys/ACCC4CF8.asc /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
RUN \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked,id=debian-apt-lists-$TARGETARCH$TARGETVARIANT \
--mount=type=cache,target=/var/cache/apt/archives,sharing=locked,id=debian-apt-archives-$TARGETARCH$TARGETVARIANT \
<<EOS
set -e
apt-get update
apt-get install -y -o Dpkg::Options::="--force-confnew" --no-install-recommends --no-install-suggests ca-certificates
. /etc/os-release
echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${VERSION_CODENAME}-pgdg main" > /etc/apt/sources.list.d/pgdg.list
apt-get update
EOS


RUN \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked,id=debian-apt-lists-$TARGETARCH$TARGETVARIANT \
--mount=type=cache,target=/var/cache/apt/archives,sharing=locked,id=debian-apt-archives-$TARGETARCH$TARGETVARIANT \
Expand All @@ -50,7 +70,7 @@
apt-get -qqy update
DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::="--force-confnew" --no-install-recommends --no-install-suggests \
ca-certificates curl git patch openssh-client openssl sudo unzip wget \
postgresql-client postgresql-client-common \
postgresql-client-16 postgresql-client-common \
imagemagick poppler-utils \
apache2 apache2-utils php php-common php-dev libapache2-mod-php \
php-ctype php-curl php-fileinfo php-gd php-iconv php-json \
Expand Down