mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
fb152b9114
## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Secure Dockerfiles Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles. - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Zach Wasserman <zach@fleetdm.com>
34 lines
1.3 KiB
Docker
34 lines
1.3 KiB
Docker
FROM rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e AS builder
|
|
|
|
ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin
|
|
|
|
RUN cargo install --version 0.16.0 apple-codesign \
|
|
&& curl -sSf $transporter_url -o transporter_install.sh \
|
|
&& sh transporter_install.sh --target transporter --accept --noexec
|
|
|
|
FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8
|
|
|
|
ARG binpath=build/binary-bundle/linux/fleetctl
|
|
|
|
RUN apt-get update \
|
|
&& dpkg --add-architecture i386 \
|
|
&& apt update \
|
|
&& apt install -y --no-install-recommends ca-certificates cpio libxml2 wine wine32 libgtk-3-0 \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# copy macOS dependencies
|
|
COPY --from=fleetdm/bomutils:latest /usr/bin/mkbom /usr/local/bin/xar /usr/bin/
|
|
COPY --from=fleetdm/bomutils:latest /usr/local/lib /usr/local/lib/
|
|
COPY --from=builder /transporter/itms /usr/local/
|
|
COPY --from=builder /usr/local/cargo/bin/rcodesign /usr/local/bin
|
|
|
|
# copy Windows dependencies
|
|
COPY --from=fleetdm/wix:latest /home/wine /home/wine
|
|
|
|
# copy fleetctl
|
|
COPY ${binpath} /usr/bin/fleetctl
|
|
|
|
ENV FLEETCTL_NATIVE_TOOLING=1 WINEPREFIX=/home/wine/.wine WINEARCH=win32 PATH="/home/wine/bin:$PATH" WINEDEBUG=-all
|
|
|
|
ENTRYPOINT ["fleetctl"]
|