adjusts ENTRYPOINT and/or CMD to run /chalk exec on container start which reports the content of the /chalk.json
As such whenever a non-chalk-wrapped docker build would build an image based on chalked base image it:
preserved /chalk.json
preserved ENTRYPOINT/CMD from the base image
As a result chalk exec would report chalk mark of the base image hence loosing any context that in reality a child image is actually running.
This adds ONBUILD directives in docker while building base image which ensure that /chalk.json is mutated when a child image is built. This ensures that we can report base image METADATA_ID however indicating that another image is actually running.
This is a first step in the image lineage feature.
Testing
➜ make tests args="test_docker.py::test_onbuild --pdb --logs"
CHANGELOG.md
if necessaryIssue
fixes https://github.com/crashappsec/chalk/issues/305
Description
Wrapped chalk build does a couple of things:
/chalk.json
/chalk
ENTRYPOINT
and/orCMD
to run/chalk exec
on container start which reports the content of the/chalk.json
As such whenever a non-chalk-wrapped docker build would build an image based on chalked base image it:
/chalk.json
ENTRYPOINT
/CMD
from the base imageAs a result
chalk exec
would report chalk mark of the base image hence loosing any context that in reality a child image is actually running.This adds
ONBUILD
directives in docker while building base image which ensure that/chalk.json
is mutated when a child image is built. This ensures that we can report base imageMETADATA_ID
however indicating that another image is actually running.This is a first step in the image lineage feature.
Testing