Open jwillker opened 1 year ago
My initial thoughts on curl | bash
are coloured by my past history with things like:
and as such, given the space we're operating in, I'd prefer for OSV Scanner to have a very solid supply chain security story.
I totally agree with the spirit of this issue though. As a Debian Developer, I'd like to see it packaged for Debian :-)
I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.
I think the first step is producing a docker image, which can also be used when making the CI/CD action.
I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.
When trying to scan a directory:
docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app
returns:
osv-scanner version: dev
commit: n/a
built at: n/a
And when trying to run with --lockfile
I get the same:
docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock
returns:
osv-scanner version: dev
commit: n/a
built at: n/a
Running it from go locally works fine.
I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.
When trying to scan a directory:
docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app
returns:
osv-scanner version: dev commit: n/a built at: n/a
And when trying to run with
--lockfile
I get the same:docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock
returns:
osv-scanner version: dev commit: n/a built at: n/a
Running it from go locally works fine.
@koenhendriks The problem here is you are passing -v to the osv-scanner. I think you want to use docker -v to pass a volume, the order matter.
Maybe you should do: docker run --rm -v ${PWD}:/app koenhendriks/osv-scanner -r /app
I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.
I think the first step is producing a docker image, which can also be used when making the CI/CD action.
@another-rex I just open a PR to implement a docker image publish feature using Goreleaser https://github.com/google/osv-scanner/pull/63
Can you review and comment the open points please?
https://github.com/taiki-e/install-action now supports osv-scanner
The project has a high chance of gaining a lot of adoption. To help with adoption, the project could provide other ways to install besides go install or download binaries. This facilitates to use of the osv-scanner in different machines, servers, CI/CD, etc.
My proposal is that the project could have the following:
All this can be done using the goreleaser. I can help with PRs if these features make sense!