chore(ci): added docker security scan and a linter (#496)

* chore(ci): add the snyk docker image scan

* chore(dep): bump all base images to most recent LTS

* chore(dep): bump all base images to most recent LTS

* chore(ci): add hadolint

* chore(security): common practice is swaying towards do upgrades in images

* fix(ci): revert the rhel base image upgrade

* Update alpine/Dockerfile

* pin the hadolint scanner

.travis.yml

@@ -1,7 +1,5 @@
 language: generic
-
-services:
-  - docker
+dist: bionic
 
 env:
   matrix:
@@ -10,6 +8,11 @@ env:
     - BASE="ubuntu" KONG_DOCKER_TAG="kong-ubuntu" PACKAGE_TYPE="deb"
     - BASE="rhel" KONG_DOCKER_TAG="kong-rhel" PACKAGE_TYPE="rpm"
 
+before_install:
+  - curl -fsSL https://get.docker.com -o get-docker.sh
+  - sh ./get-docker.sh
+  - echo "$DOCKER_KEY" | docker login -u "$DOCKER_USER" --password-stdin
+
 before_script:
   - if [ "$TRAVIS_SECURE_ENV_VARS" = "true" ]; then echo "$DOCKER_KEY" | docker login -u "$DOCKER_USER" --password-stdin; else echo "no docker credentials to log in, watch for the rate-limit"; fi
   - sudo apt-get install figlet

alpine/Dockerfile

@@ -7,6 +7,7 @@ ENV ASSET $ASSET
 
 ARG EE_PORTS
 
+# hadolint ignore=DL3010
 COPY kong.tar.gz /tmp/kong.tar.gz
 
 ARG KONG_VERSION=2.5.0
@@ -19,6 +20,7 @@ ENV KONG_AMD64_SHA $KONG_AMD64_SHA
 ARG KONG_ARM64_SHA="131964ce443f2d08dc98191fcc442867f2dee2f741ccee9cc519bb99c765f3cf"
 ENV KONG_ARM64_SHA $KONG_ARM64_SHA
 
+# hadolint ignore=DL3018
 RUN set -eux; \
     arch="$(apk --print-arch)"; \
     case "${arch}" in \
@@ -36,6 +38,7 @@ RUN set -eux; \
     && mv /kong/usr/local/* /usr/local \
     && mv /kong/etc/* /etc \
     && rm -rf /kong \
+    && apk upgrade \
     && apk add --no-cache libstdc++ libgcc openssl pcre perl tzdata libcap zip bash zlib zlib-dev git ca-certificates \
     && adduser -S kong \
     && addgroup -S kong \

centos/Dockerfile

@@ -1,4 +1,4 @@
-FROM centos:7
+FROM centos:8
 LABEL maintainer="Kong <[email protected]>"
 
 ARG ASSET=ce
@@ -13,12 +13,14 @@ ENV KONG_VERSION $KONG_VERSION
 
 ARG KONG_SHA256="87b789aed871991b92d264b02ceca3c66246c825c28dd71e73faac7293e43fa2"
 
+# hadolint ignore=DL3033
 RUN set -ex; \
     if [ "$ASSET" = "ce" ] ; then \
       curl -fL https://download.konghq.com/gateway-${KONG_VERSION%%.*}.x-centos-7/Packages/k/kong-$KONG_VERSION.el7.amd64.rpm -o /tmp/kong.rpm \
       && echo "$KONG_SHA256  /tmp/kong.rpm" | sha256sum -c -; \
     fi; \
-    yum install -y -q unzip shadow-utils git \
+    yum update -y \
+    && yum install -y -q unzip shadow-utils git \
     && yum clean all -q \
     && rm -fr /var/cache/yum/* /tmp/yum_save*.yumtx /root/.pki \
     # Please update the centos install docs if the below line is changed so that

hadolint.yaml

@@ -0,0 +1,5 @@
+ignored:
+  - DL3008
+  - DL3027
+  - SC2046
+  - DL4006

tests/01-image.test.sh

@@ -3,7 +3,12 @@
 function run_test {
   tinitialize "Docker-Kong test suite" "${BASH_SOURCE[0]}"
 
+  docker run -i --rm -v $PWD/hadolint.yaml:/.config/hadolint.yaml hadolint/hadolint:2.7.0 < $BASE/Dockerfile
 
+  if [[ ! -z "${SNYK_SCAN_TOKEN}" ]]; then
+    docker scan --accept-license --login --token "${SNYK_SCAN_TOKEN}"
+    docker scan --accept-license --exclude-base --severity=high --file $BASE/Dockerfile kong-$BASE
+  fi
 
   # Test the proper version was buid
   tchapter "test $BASE image"
@@ -23,8 +28,6 @@ function run_test {
   fi
   popd
 
-
-
   # Docker swarm test
   ttest "Docker swarm test"
 

ubuntu/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:xenial
+FROM ubuntu:focal
 
 ARG ASSET=ce
 ENV ASSET $ASSET
@@ -10,8 +10,10 @@ COPY kong.deb /tmp/kong.deb
 ARG KONG_VERSION=2.5.0
 ENV KONG_VERSION $KONG_VERSION
 
+# hadolint ignore=DL3015
 RUN set -ex \
     && apt-get update \
+    && apt-get upgrade -y \
     && if [ "$ASSET" = "ce" ] ; then \
       apt-get install -y curl \
       && curl -fL https://download.konghq.com/gateway-${KONG_VERSION%%.*}.x-ubuntu-$(cat /etc/os-release | grep UBUNTU_CODENAME | cut -d = -f 2)/pool/all/k/kong/kong_${KONG_VERSION}_$(dpkg --print-architecture).deb -o /tmp/kong.deb \