Skip to content

Commit 187643d

Browse files
committed
OCM-00000 | ci: fix security-check
Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
1 parent 8f49326 commit 187643d

2 files changed

Lines changed: 39 additions & 24 deletions

File tree

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
FROM registry.access.redhat.com/ubi9/ubi:latest
33
WORKDIR /app
44
COPY . /app
5-
RUN yum update -y && yum install -y yum-utils shadow-utils unzip tar make git && \
5+
RUN yum update -y && yum install -y yum-utils shadow-utils unzip tar make git python3-pip && \
66
yum clean all && \
77
rm -rf /var/cache/yum
88
# Prow / integration client image: newest Terraform (TERRAFORM_VERSION). Module minimum compatibility is checked in GitHub Actions verify-min-terraform.yml.

hack/install-release-tool.sh

Lines changed: 38 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -126,32 +126,47 @@ case "$tool" in
126126
;;
127127

128128
checkov)
129-
# bridgecrewio/checkov GitHub releases do not publish checksum files; verify against
130-
# repo-pinned hack/checksums/checkov-<version>.sha256sums instead.
131-
case "${os}_${arch}" in
132-
linux_amd64) asset="checkov_linux_X86_64.zip" ;;
133-
linux_arm64) asset="checkov_linux_arm64.zip" ;;
134-
darwin_amd64) asset="checkov_darwin_X86_64.zip" ;;
135-
windows_amd64) asset="checkov_windows_X86_64.zip" ;;
136-
*)
137-
echo "Unsupported platform for checkov: ${os}_${arch}" >&2
138-
exit 1
139-
;;
140-
esac
141-
url="https://github.com/bridgecrewio/checkov/releases/download/${version}/${asset}"
142-
checksums_file="${script_dir}/checksums/checkov-${version}.sha256sums"
143129
dest_bin="${dest_dir}/checkov"
130+
# Linux release zips are PyInstaller bundles that require GLIBC >= 2.38; UBI9/RHEL9 (glibc 2.34) cannot run them.
131+
if [ "$os" = "linux" ]; then
132+
if ! command -v pip3 >/dev/null 2>&1; then
133+
echo "pip3 is required to install checkov on Linux (GitHub release zip requires GLIBC >= 2.38)." >&2
134+
exit 1
135+
fi
136+
lib_dir="${dest_dir}/.checkov-lib"
137+
rm -rf "$lib_dir"
138+
pip3 install --no-cache-dir --target "$lib_dir" "checkov==${version}"
139+
cat >"$dest_bin" <<WRAP
140+
#!/usr/bin/env bash
141+
export PYTHONPATH="${lib_dir}:\${PYTHONPATH:-}"
142+
exec python3 -m checkov.main "\$@"
143+
WRAP
144+
chmod +x "$dest_bin"
145+
else
146+
# bridgecrewio/checkov GitHub releases do not publish checksum files; verify against
147+
# repo-pinned hack/checksums/checkov-<version>.sha256sums instead.
148+
case "${os}_${arch}" in
149+
darwin_amd64) asset="checkov_darwin_X86_64.zip" ;;
150+
windows_amd64) asset="checkov_windows_X86_64.zip" ;;
151+
*)
152+
echo "Unsupported platform for checkov: ${os}_${arch}" >&2
153+
exit 1
154+
;;
155+
esac
156+
url="https://github.com/bridgecrewio/checkov/releases/download/${version}/${asset}"
157+
checksums_file="${script_dir}/checksums/checkov-${version}.sha256sums"
158+
159+
if [ ! -f "${checksums_file}" ]; then
160+
echo "Missing pinned checksums: ${checksums_file}" >&2
161+
echo "bridgecrewio/checkov releases do not publish upstream checksum files; add SHA256 sums for each platform zip when bumping CHECKOV_VERSION (see CONTRIBUTING.md)." >&2
162+
exit 1
163+
fi
144164

145-
if [ ! -f "${checksums_file}" ]; then
146-
echo "Missing pinned checksums: ${checksums_file}" >&2
147-
echo "bridgecrewio/checkov releases do not publish upstream checksum files; add SHA256 sums for each platform zip when bumping CHECKOV_VERSION (see CONTRIBUTING.md)." >&2
148-
exit 1
165+
curl -fsSL -o "${tmp}/${asset}" "$url"
166+
sha256_verify "${tmp}/${asset}" "${checksums_file}"
167+
unzip -o "${tmp}/${asset}" -d "$tmp"
168+
install -m 0755 "${tmp}/dist/checkov" "$dest_bin"
149169
fi
150-
151-
curl -fsSL -o "${tmp}/${asset}" "$url"
152-
sha256_verify "${tmp}/${asset}" "${checksums_file}"
153-
unzip -o "${tmp}/${asset}" -d "$tmp"
154-
install -m 0755 "${tmp}/dist/checkov" "$dest_bin"
155170
;;
156171

157172
gitleaks)

0 commit comments

Comments
 (0)