Skip to content

Commit

Permalink
Initial Commit
Browse files Browse the repository at this point in the history
  • Loading branch information
Ira W. Snyder committed Mar 31, 2020
0 parents commit 9f6e742
Show file tree
Hide file tree
Showing 10 changed files with 451 additions and 0 deletions.
182 changes: 182 additions & 0 deletions .dockerfile_lint/default_rules.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
# https://github.com/projectatomic/dockerfile_lint
---
profile:
name: "Default"
description: "Default Profile. Checks basic syntax."
line_rules:
LABEL:
paramSyntaxRegex: /.+/
defined_namevals:
Name:
valueRegex: /[\w]+/
message: "Label 'name' is missing or has invalid format"
level: "error"
required: true
Version:
valueRegex: /[\w.${}()"'\\\/~<>\-?\%:]+/
message: "Label 'version' is missing or has invalid format"
level: "error"
required: true
Maintainer:
valueRegex: /[\w]+/
message: "Label 'maintainer' is missing or has invalid format"
level: "error"
required: true

FROM:
paramSyntaxRegex: /^[\w./\-:]+(:[\w.]+)?(-[\w]+)?( as \w+)?$/i
rules:
-
label: "is_latest_tag"
regex: /latest/
level: "error"
message: "base image uses 'latest' tag"
description: "using the 'latest' tag may cause unpredictable builds. It is recommended that a specific tag is used in the FROM line or *-released which is the latest supported release."
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#from"
-
label: "no_tag"
regex: /^[:]/
level: "error"
message: "No tag is used"
description: "lorem ipsum tar"
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#from"
-
label: "specified_registry"
regex: /[\w]+?\.[\w-]+(\:|\.)([\w.]+|(\d+)?)([/?:].*)?/
level: "warn"
message: "using a specified registry in the FROM line"
description: "using a specified registry may supply invalid or unexpected base images"
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#entrypoint"
RUN:
paramSyntaxRegex: /.+/
rules:
-
label: "no_yum_clean_all"
regex: /yum(?!.+clean all|.+\.repo|-config|\.conf)/g
level: "warn"
message: "yum clean all is not used"
description: "the yum cache will remain in this layer making the layer unnecessarily large"
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "_clear_packaging_caches_and_temporary_package_downloads"
-
label: "yum_update_all"
regex: /yum(.+update all|.+upgrade|.+update|\.config)/
level: "info"
message: "updating the entire base image may add unnecessary size to the container"
description: "update the entire base image may add unnecessary size to the container"
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "_clear_packaging_caches_and_temporary_package_downloads"
-
label: "no_dnf_clean_all"
regex: /dnf(?!.+clean all|.+\.repo)/g
level: "warn"
message: "dnf clean all is not used"
description: "the dnf cache will remain in this layer making the layer unnecessarily large"
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "_clear_packaging_caches_and_temporary_package_downloads"
-
label: "no_rvm_cleanup_all"
regex: /rvm install(?!.+cleanup all)/g
level: "warn"
message: "rvm cleanup is not used"
description: "the rvm cache will remain in this layer making the layer unnecessarily large"
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "_clear_packaging_caches_and_temporary_package_downloads"
-
label: "no_gem_clean_all"
regex: /gem install(?!.+cleanup|.+\rvm cleanup all)/g
level: "warn"
message: "gem cleanup all is not used"
description: "the gem cache will remain in this layer making the layer unnecessarily large"
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "_clear_packaging_caches_and_temporary_package_downloads"
-
label: "no_apt-get_clean"
regex: /apt-get install(?!.+clean)/g
level: "warn"
message: "apt-get clean is not used"
description: "the apt-get cache will remain in this layer making the layer unnecessarily large"
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "_clear_packaging_caches_and_temporary_package_downloads"
-
label: "privileged_run_container"
regex: /privileged/
level: "warn"
message: "a privileged run container is allowed access to host devices"
description: "Does this run need to be privileged?"
reference_url:
- "http://docs.docker.com/engine/reference/run/#"
- "runtime-privilege-and-linux-capabilities"
-
label: "installing_ssh"
regex: /openssh-server/
level: "warn"
message: "installing SSH in a container is not recommended"
description: "Do you really need SSH in this image?"
reference_url: "https://github.com/jpetazzo/nsenter"
-
label: "no_ampersand_usage"
regex: / ; /
level: "warn"
message: "using ; instead of &&"
description: "RUN do_1 && do_2: The ampersands change the resulting evaluation into do_1 and then do_2 only if do_1 was successful."
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "#_using_semi_colons_vs_double_ampersands"
EXPOSE:
paramSyntaxRegex: /^[\d-\s\w/\\]+$/
rules: []
ENV:
paramSyntaxRegex: /.+/
rules: []
ADD:
paramSyntaxRegex: /^~?([\w-.~:/?#\[\]\\\/*@!$&'()*+,;=.{}"]+[\s]*)+$/
COPY:
paramSyntaxRegex: /.+/
rules: []
ENTRYPOINT:
paramSyntaxRegex: /.+/
rules: []
VOLUME:
paramSyntaxRegex: /.+/
rules: []
USER:
paramSyntaxRegex: /^[a-z0-9_][a-z0-9_]{0,40}$/
rules: []
WORKDIR:
paramSyntaxRegex: /^~?[\w\d-\/.{}$\/:]+[\s]*$/
rules: []
ONBUILD:
paramSyntaxRegex: /.+/
rules: []
required_instructions:
-
instruction: "ENTRYPOINT"
count: 1
level: "info"
message: "There is no 'ENTRYPOINT' instruction"
description: "None"
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#entrypoint"
-
instruction: "CMD"
count: 1
level: "info"
message: "There is no 'CMD' instruction"
description: "None"
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#cmd"
138 changes: 138 additions & 0 deletions .dockerfile_lint/github_actions.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
# https://github.com/projectatomic/dockerfile_lint
profile:
name: "GitHub Actions"
description: "Checks for GitHub Actions."
includes:
- default_rules.yaml
general:
# It appears these get duplicated rather than overriding. The hope was to use this as a counter to the
# `required_instructions` section, but perhaps it defines the `line_rules` map. It would be great to either be able
# to set `required_instructions` to a 0 value or have an `invalid_instructions` section?
valid_instructions:
- FROM
- RUN
- CMD
- LABEL
- ENV
- ADD
- COPY
- ENTRYPOINT
- WORKDIR
- ONBUILD
- ARG
- STOPSIGNAL
- SHELL
line_rules:
# Invalid Lines
ADD:
paramSyntaxRegex: /.+/
rules:
-
label: "add_antipattern"
regex: /.+/
level: "info"
message: "Avoid using ADD"
description: "It is generally an anti-pattern to us ADD, use COPY instead."
EXPOSE:
paramSyntaxRegex: /.+/
rules:
-
label: "expose_invalid"
regex: /.+/
level: "error"
message: "There should not be an 'EXPOSE' instruction"
description: "Actions should not expose ports."
HEALTHCHECK:
paramSyntaxRegex: /.+/
rules:
-
label: "healthcheck_invalid"
regex: /.+/
level: "error"
message: "There should not be a 'HEALTHCHECK' instruction"
description: "Actions should not require HEALTHCHECKs."
MAINTAINER:
paramSyntaxRegex: /.+/
rules:
-
label: "maintainer_deprecated"
regex: /.+/
level: "info"
message: "the MAINTAINER command is deprecated"
description: "MAINTAINER is deprecated in favor of using LABEL since Docker v1.13.0"
reference_url:
- "https://github.com/docker/cli/blob/master/docs/deprecated.md"
- "#maintainer-in-dockerfile"
SHELL:
paramSyntaxRegex: /.+/
rules:
-
label: "shell_invalid"
regex: /.+/
level: "info"
message: "There should not be a 'SHELL' instruction"
description: "Actions generally rely on sh and setting an alternative shell may have unexpected consequences."
USER:
paramSyntaxRegex: /.+/
rules:
-
label: "user_discouraged"
regex: /.+/
level: "warn"
message: "'USER' instruction exists"
description: "Actions don't expect a USER to be set."
VOLUME:
paramSyntaxRegex: /.+/
rules:
-
label: "volume_invalid"
regex: /.+/
level: "error"
message: "There should not be a 'VOLUME' instruction"
description: "Actions do not support volumes."

# Required Labels
LABEL:
paramSyntaxRegex: /.+/
defined_namevals:
com.github.actions.name:
valueRegex: /[\w]+/
message: "Label 'com.github.actions.name' is missing or has invalid format"
level: "error"
required: true
com.github.actions.description:
valueRegex: /[\w]+/
message: "Label 'com.github.actions.description' is missing or has invalid format"
level: "error"
required: true
com.github.actions.icon:
valueRegex: /[\w]+/
message: "Label 'com.github.actions.icon' is missing or has invalid format"
level: "error"
required: true
com.github.actions.color:
valueRegex: /[\w]+/
message: "Label 'com.github.actions.color' is missing or has invalid format"
level: "error"
required: true


required_instructions:
-
instruction: "ENTRYPOINT"
count: 1
level: "error"
message: "There is no 'ENTRYPOINT' instruction"
description: "Actions require that a default ENTRYPOINT be set"
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#entrypoint"
-
instruction: "CMD"
count: 1
level: "info"
message: "There is no 'CMD' instruction"
description: "In most cases it is helpful to include reasonable defaults for CMD"
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#cmd"
7 changes: 7 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# ignore all files by default
*
# include required files with an exception
!entrypoint.sh
!LICENSE
!README.md
!THIRD_PARTY_NOTICE.md
27 changes: 27 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: CI

on:
push:
branches:
- master # Push events on master branch
pull_request: # Run tests for any PRs

jobs:
# Run tests.
# See also https://docs.docker.com/docker-hub/builds/automated-testing/
test:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2

- name: Dockerfile lint
uses: docker://replicated/dockerfilelint:09a5034
with:
args: Dockerfile

- name: Docker build
run: docker build . --file Dockerfile --tag image

- name: Docker run
run: docker run --entrypoint /opt/puppetlabs/bin/puppet image --version
18 changes: 18 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
FROM centos:8

LABEL name="puppet-parser-validate-action"
LABEL repository="https://github.com/irasnyd/puppet-parser-validate-action"
LABEL homepage="https://github.com/irasnyd/puppet-parser-validate-action"

LABEL "com.github.actions.name"="puppet-parser-validate-action"
LABEL "com.github.actions.description"="GitHub Action to run 'puppet parser validate' syntax check"
LABEL "com.github.actions.icon"="share-2"
LABEL "com.github.actions.color"="orange"

LABEL "maintainer"="Ira W. Snyder <https://github.com/irasnyd/>"

RUN yum -y install http://yum.puppetlabs.com/puppet5/el/8/x86_64/puppet-agent-5.5.19-1.el8.x86_64.rpm
COPY entrypoint.sh /entrypoint.sh
RUN ["chmod", "+x", "/entrypoint.sh"]
ENTRYPOINT ["/entrypoint.sh"]
CMD ["./"]
21 changes: 21 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2020 Ira W. Snyder <https://github.com/irasnyd/>

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Loading

0 comments on commit 9f6e742

Please sign in to comment.