SAST: instrument all RUN lines in Dockerfile

This will cause all RUN lines to be printed rather than executed, which will obviously break the build. Nevertheless, if the lines are printed, it means that we can easily instrument Dockerfile before the build.
kdudka · Aug 7, 2024 · 8899893 · 8899893
1 parent 0636094
commit 8899893
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/.tekton/konflux-test-multicluster-global-hub-agent-pull-request.yaml b/.tekton/konflux-test-multicluster-global-hub-agent-pull-request.yaml
@@ -556,6 +556,12 @@ spec:
                   done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
                 fi
 
+                # install some glue tools developed for OpenScanHub
+                microdnf install -y csdiff
+
+                # instrument all RUN lines in Dockerfile
+                cstrans-df-run --in-place "$dockerfile_path" --verbose echo
+
                 unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
                   $VOLUME_MOUNTS \
                   "${BUILDAH_ARGS[@]}" \