Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
I've been playing with Packj in a way that has necessitated a lot of Docker rebuilds. I eventually opted to try to speed the build process up a bit. These are the associated changes, if you are interested in taking them on.
Dockerfile changes:
Changed step ordering to decrease number of step rebuilds required when common things (e.g. the codebase) change.
Replaced usage of the apt command-line too with apt-get. apt has an unstable interface and its authors recommend against using it in an automated fashion.
Use Docker BuildKit caching for OS-level (apt), Python, and Ruby dependency installation steps.
Optimised Node.js installation process such that Node.js can be installed alongside the rest of the OS-level dependencies.
Only go through expensive / time-consuming sandbox setup process if the sandbox-related files have actually changed. If the codebase changes without the sandbox files changing, the previous sandbox setup persists.
Sandbox setup (setup.sh) changes:
Added set -uo pipefail and IFS=$'\n\t' ('Unofficial bash strict mode') per bash practice for bash scripts. Note that set -e (usually part of strict mode) was not easily doable here (without changing how the script works). To minimise changes, I just excluded it, but it'd be nice to be able to use it at some point in the future.
Passing in the -v flag will print output that was previously just written to a log file. I added this to make the Docker image creation process more verbose, per best practice as you typically won't get access to log files written during the image build process.
Fixed typo ("Clonning" -> "Cloning").
Fixed some cases where the script would incorrectly return a zero exit status, which would incorrectly imply to Docker that the script had exited successfully, when it had in fact failed.
I've been playing with Packj in a way that has necessitated a lot of Docker rebuilds. I eventually opted to try to speed the build process up a bit. These are the associated changes, if you are interested in taking them on.
aptcommand-line too withapt-get.apthas an unstable interface and its authors recommend against using it in an automated fashion.setup.sh) changes:set -uo pipefailandIFS=$'\n\t'('Unofficial bash strict mode') per bash practice for bash scripts. Note thatset -e(usually part of strict mode) was not easily doable here (without changing how the script works). To minimise changes, I just excluded it, but it'd be nice to be able to use it at some point in the future.-vflag will print output that was previously just written to a log file. I added this to make the Docker image creation process more verbose, per best practice as you typically won't get access to log files written during the image build process.