-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into sts_fix_debian_packge
- Loading branch information
Showing
27 changed files
with
757 additions
and
417 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,35 +1,16 @@ | ||
name: "Code Linting" | ||
name: Lint (pre-commit) | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- "*" | ||
push: | ||
branches: | ||
- "*" | ||
|
||
jobs: | ||
pre-commit: | ||
lint: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Install Go | ||
uses: actions/setup-go@v2 | ||
with: | ||
go-version: v1.17.x | ||
|
||
- name: Install dependencies | ||
run: | | ||
cd /tmp && go install github.com/go-critic/go-critic/cmd/gocritic@latest | ||
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.43.0 | ||
go install golang.org/x/lint/golint@latest | ||
go install github.com/fzipp/gocyclo/cmd/gocyclo@latest | ||
- uses: actions/checkout@v3 | ||
- uses: actions/setup-python@v2 | ||
|
||
- name: Fix up git URLs | ||
run: echo -e '[url "https://github.com/"]\n insteadOf = "git://github.com/"' >> ~/.gitconfig | ||
|
||
- uses: pre-commit/[email protected] | ||
- name: Install Go | ||
uses: actions/setup-go@v3 | ||
with: | ||
extra_args: --all-files | ||
go-version: v1.18.x | ||
cache: true | ||
- run: go run mage.go lint |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
echo "Executing precommit checks" | ||
go run mage.go check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,56 +1,81 @@ | ||
FROM golang:1.19.1-alpine3.16 AS build | ||
# Copyright 2023 The OWASP Coraza contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
# Specify Coreruleset version to download | ||
ARG CORERULESET_VERSION=v4.0.0-rc1 | ||
ARG CORERULESET_MD5=9140236dc7e941c274e414385824c996 | ||
|
||
# Change working directory | ||
WORKDIR /app | ||
|
||
RUN \ | ||
apk add --no-cache \ | ||
# Install make to build coraza-spoa binary from makefile | ||
make \ | ||
# Download and set up Coreruleset | ||
&& wget -qO/tmp/coreruleset.tar.gz https://github.com/coreruleset/coreruleset/archive/${CORERULESET_VERSION}.tar.gz \ | ||
&& echo "$CORERULESET_MD5 /tmp/coreruleset.tar.gz" | md5sum -c \ | ||
&& mkdir -p /tmp/coraza-coreruleset \ | ||
&& mkdir -p /etc/coraza-spoa/rules \ | ||
&& tar xzf /tmp/coreruleset.tar.gz --strip-components=1 -C /tmp/coraza-coreruleset \ | ||
&& mv /tmp/coraza-coreruleset/crs-setup.conf.example /etc/coraza-spoa/crs-setup.conf \ | ||
&& mv /tmp/coraza-coreruleset/rules /etc/coraza-spoa \ | ||
&& mv /tmp/coraza-coreruleset/plugins /etc/coraza-spoa \ | ||
&& rm -rf /tmp/* | ||
|
||
# Cache Go dependencies | ||
COPY go.mod go.sum ./ | ||
FROM --platform=$BUILDPLATFORM golang:1.19-alpine3.17 AS builder | ||
|
||
WORKDIR /build | ||
COPY . /build | ||
|
||
# Download dependencies for all platforms once | ||
RUN go mod download | ||
|
||
# Copy project files into build image | ||
COPY . . | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
|
||
RUN apk add --no-cache make ca-certificates \ | ||
&& update-ca-certificates | ||
|
||
RUN --mount=type=cache,target=/root/.cache/go-build \ | ||
--mount=type=cache,target=/go/pkg \ | ||
OS=${TARGETOS} ARCH=${TARGETARCH} make | ||
|
||
# --- | ||
FROM alpine:3.17 AS main | ||
|
||
ARG TARGETARCH | ||
|
||
LABEL org.opencontainers.image.authors="The OWASP Coraza contributors" \ | ||
org.opencontainers.image.description="OWASP Coraza WAF (Haproxy SPOA)" \ | ||
org.opencontainers.image.documentation="https://coraza.io/connectors/coraza-spoa/" \ | ||
org.opencontainers.image.licenses="Apache-2.0" \ | ||
org.opencontainers.image.source="https://github.com/corazawaf/coraza-spoa" \ | ||
org.opencontainers.image.title="coraza-spoa" | ||
|
||
RUN apk add --no-cache tini socat ca-certificates \ | ||
&& update-ca-certificates | ||
|
||
# Build coraza-spoa binary | ||
RUN make | ||
# Add unprivileged user & group for the coraza-spoa | ||
RUN addgroup --system coraza-spoa \ | ||
&& adduser --system --ingroup coraza-spoa --no-create-home --home /nonexistent --disabled-password coraza-spoa | ||
|
||
RUN mkdir -p /etc/coraza-spoa /var/log/coraza-spoa \ | ||
&& chown coraza-spoa:coraza-spoa /var/log/coraza-spoa | ||
|
||
COPY --from=builder /build/coraza-spoa_${TARGETARCH} /usr/bin/coraza-spoa | ||
COPY --from=builder /build/config.yaml.default /etc/coraza-spoa/config.yaml | ||
COPY --from=builder /build/docker/coraza-spoa/coraza.conf /etc/coraza-spoa/coraza.conf | ||
COPY --from=builder /build/docker/coraza-spoa/docker-entrypoint.sh /docker-entrypoint.sh | ||
|
||
EXPOSE 9000 | ||
USER coraza-spoa | ||
|
||
HEALTHCHECK --interval=10s --timeout=2s --retries=2 CMD "/usr/bin/socat /dev/null TCP:0.0.0.0:9000" | ||
|
||
ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] | ||
|
||
CMD ["/usr/bin/coraza-spoa", "--config", "/etc/coraza-spoa/config.yaml"] | ||
|
||
# --- | ||
FROM main AS coreruleset | ||
|
||
ARG CORERULESET_VERSION=v4.0.0-rc1 | ||
ARG CORERULESET_SHA256SUM=a8f0d1cac941bf2158988b92a91519f093a8bce64a260e46fa352d608c7de3e6 | ||
|
||
RUN \ | ||
# Move coraza-spoa config file to config dir | ||
mv /app/docker/coraza-spoa/coraza.conf /etc/coraza-spoa/coraza.conf \ | ||
# Rename coraza-spoa default config file | ||
&& mv /app/config.yaml.default /app/config.yaml \ | ||
# Rename coraza-spoa binary | ||
&& mv /app/coraza-spoa_amd64 /app/coraza-spoa \ | ||
# Make coraza-spoa binary executable | ||
&& chmod +x /app/coraza-spoa | ||
# Switch to root for crs installation | ||
USER root | ||
|
||
# Download the core rule set | ||
RUN set -xe \ | ||
&& wget -O /tmp/crs.tgz https://github.com/coreruleset/coreruleset/archive/refs/tags/${CORERULESET_VERSION}.tar.gz | ||
|
||
RUN echo "$CORERULESET_SHA256SUM /tmp/crs.tgz" | sha256sum -c | ||
|
||
FROM alpine:3.16 | ||
# Make directory for coraza-spoa audit and error logs | ||
RUN mkdir -p /var/log/coraza-spoa | ||
# Copy coraza-spoa binary and default config file from build image | ||
COPY --from=build /app/config.yaml /app/coraza-spoa / | ||
# Copy Coreruleset files from build image | ||
COPY --from=build /etc/coraza-spoa /etc/coraza-spoa | ||
RUN set -xe \ | ||
&& mkdir crs \ | ||
&& tar --strip-components 1 -C crs -xf /tmp/crs.tgz \ | ||
&& mv crs/crs-setup.conf.example /etc/coraza-spoa/crs-setup.conf \ | ||
&& mv crs/rules /etc/coraza-spoa \ | ||
&& if [[ -d crs/plugins ]] ; then mv crs/plugins /etc/coraza-spoa ; fi \ | ||
&& rm -rf crs /tmp/crs.tgz | ||
|
||
# Container run command | ||
CMD ["/coraza-spoa", "-config", "/config.yaml"] | ||
USER coraza-spoa |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.