adjusts ENTRYPOINT and/or CMD to run /chalk exec on container start which reports the content of the /chalk.json
As such whenever a non-chalk-wrapped docker build would build an image based on chalked base image it:
preserved /chalk.json
preserved ENTRYPOINT/CMD from the base image
As a result chalk exec would report chalk mark of the base image hence loosing any context that in reality a child image is actually running.
This adds ONBUILD directives in docker while building base image which ensure that /chalk.json is mutated when a child image is built. This ensures that we can report base image METADATA_ID however indicating that another image is actually running.
This is a first step in the image lineage feature.
Testing
➜ make tests args="test_docker.py::test_onbuild --pdb --logs"
CHANGELOG.mdif necessaryIssue
fixes https://github.com/crashappsec/chalk/issues/305
Description
Wrapped chalk build does a couple of things:
/chalk.json/chalkENTRYPOINTand/orCMDto run/chalk execon container start which reports the content of the/chalk.jsonAs such whenever a non-chalk-wrapped docker build would build an image based on chalked base image it:
/chalk.jsonENTRYPOINT/CMDfrom the base imageAs a result
chalk execwould report chalk mark of the base image hence loosing any context that in reality a child image is actually running.This adds
ONBUILDdirectives in docker while building base image which ensure that/chalk.jsonis mutated when a child image is built. This ensures that we can report base imageMETADATA_IDhowever indicating that another image is actually running.This is a first step in the image lineage feature.
Testing