search

jenkinsci / aqua-microscanner-plugin

Enables scanning of docker builds in Jenkins for OS package vulnerabilities.
https://plugins.jenkins.io/aqua-microscanner/
Apache License 2.0
35 stars 20 forks source link

Permission Denied when run Microscanner when WORKDIR declared as VOLUME #20

Closed benoitm76 closed 5 years ago

benoitm76 commented 5 years ago

On some Docker images, WORKDIR is declared as VOLUME in the Dockerfile. This will cause an error when Aqua microscanner will be executed : 

/bin/sh: ./microscanner: Permission denied

This is a know behavior of docker layers that no capture changes on anonymous volume. See : https://serverfault.com/questions/772227/chmod-not-working-correctly-in-docker

You can easily reproduce the bug with this Dockerfile:

FROM alpine
RUN mkdir /opt/microscanner
WORKDIR /opt/microscanner

VOLUME ["/opt/microscanner"]

ADD https://get.aquasec.com/microscanner .
USER 0
RUN chmod +x microscanner
ARG token
RUN ./microscanner ${token} --html

A simple fix consists to execute chmod and run microscanner in the same RUN command.

oranmoshai commented 5 years ago

LGTM