Skip to content

Commit

Permalink
Enable Clair security scanning on Quay
Browse files Browse the repository at this point in the history 
Since the router image was simplified, Quay reports scanning results,
but these are misleading. It turns out that while Clair (the scanning
tool used in Quay) can identify the packages shipped in the minimised
images, it needs extra information to identify vulnerabilities in
those packages; specifically, in UBI-based images, /root/buildinfo.
See
https://github.com/quay/claircore/blob/main/rhel/repositoryscanner.go
for reference.

This fixes that by copying the appropriate information from the
"packager" image. While we're at it, copy the repository information
too; this simplifies building further images on top of this one. Some
WORKDIR statements are superfluous so those are removed too.

Signed-off-by: Stephen Kitt <[email protected]>
  • Loading branch information
@skitt
skitt committed Feb 4, 2025
1 parent b87e9a6 commit 73123d7
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions Containerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,13 @@ RUN dnf -y --setopt=install_weak_deps=0 --nodocs \
FROM scratch

COPY --from=packager /output /
COPY --from=packager /etc/yum.repos.d /etc/yum.repos.d
COPY --from=packager /root/buildinfo /root/buildinfo

USER 10000

WORKDIR /
COPY --from=builder /image /

WORKDIR /home/skrouterd/etc
WORKDIR /home/skrouterd/bin
COPY ./scripts/* /home/skrouterd/bin/

Expand Down

0 comments on commit 73123d7

Please sign in to comment.