diff --git a/images/base/README.md b/images/base/README.md index ae2d9f8..68713f0 100644 --- a/images/base/README.md +++ b/images/base/README.md @@ -1,6 +1,6 @@ -# Enterprise Base +# Example Base -[![Docker Pulls](https://img.shields.io/docker/pulls/codercom/enterprise-base?label=codercom%2Fenterprise-base)](https://hub.docker.com/r/codercom/enterprise-base) +[![Docker Pulls](https://img.shields.io/docker/pulls/codercom/example-base?label=codercom%2Fexample-base)](https://hub.docker.com/r/codercom/example-base) ## Description diff --git a/images/desktop/README.md b/images/desktop/README.md index 35f969b..855f5eb 100644 --- a/images/desktop/README.md +++ b/images/desktop/README.md @@ -1,10 +1,10 @@ # Desktop -[![DockerPulls](https://img.shields.io/docker/pulls/codercom/enterprise-desktop)](https://hub.docker.com/r/codercom/enterprise-desktop) +[![DockerPulls](https://img.shields.io/docker/pulls/codercom/example-desktop)](https://hub.docker.com/r/codercom/example-desktop) ## Description -Wraps [enterprise-base](../base/README.md) with a xfce desktop environment. +Wraps [example-minimal](../minimal/README.md) with a xfce desktop environment. > **Note:** This image does not contain a vnc-server. > A VNC server can be added by using the [KasmVNC](https://registry.coder.com/modules/kasmvnc) module. diff --git a/images/desktop/ubuntu.Dockerfile b/images/desktop/ubuntu.Dockerfile index 24899f7..cc25233 100644 --- a/images/desktop/ubuntu.Dockerfile +++ b/images/desktop/ubuntu.Dockerfile @@ -1,4 +1,4 @@ -FROM codercom/enterprise-minimal:latest +FROM codercom/example-minimal:latest USER root diff --git a/images/golang/README.md b/images/golang/README.md index 527dbc7..452f09b 100644 --- a/images/golang/README.md +++ b/images/golang/README.md @@ -1,10 +1,10 @@ # Golang -[![DockerPulls](https://img.shields.io/docker/pulls/codercom/enterprise-golang)](https://hub.docker.com/r/codercom/enterprise-golang) +[![DockerPulls](https://img.shields.io/docker/pulls/codercom/example-golang)](https://hub.docker.com/r/codercom/example-golang) ## Description -Wraps [enterprise-base](../base/README.md) with the basics for Go development. +Wraps [example-base](../base/README.md) with the basics for Go development. > **Note:** This image does not contain GoLand. For an example of how to install > GoLand, see [enterprise-goland](../../deprecated/goland/README.md) diff --git a/images/golang/ubuntu.Dockerfile b/images/golang/ubuntu.Dockerfile index e80d0a2..23ea3e9 100644 --- a/images/golang/ubuntu.Dockerfile +++ b/images/golang/ubuntu.Dockerfile @@ -1,4 +1,4 @@ -FROM codercom/enterprise-base:ubuntu +FROM codercom/example-base:ubuntu # Run everything as root USER root diff --git a/images/java/README.md b/images/java/README.md index 27d246d..306a790 100644 --- a/images/java/README.md +++ b/images/java/README.md @@ -1,10 +1,10 @@ # Java -[![Docker Pulls](https://img.shields.io/docker/pulls/codercom/enterprise-java?label=codercom%2Fenterprise-java)](https://hub.docker.com/r/codercom/enterprise-java) +[![Docker Pulls](https://img.shields.io/docker/pulls/codercom/example-java?label=codercom%2Fexample-java)](https://hub.docker.com/r/codercom/example-java) ## Description -Wraps [enterprise-base](../base/README.md) with the basics for Java development. +Wraps [example-base](../base/README.md) with the basics for Java development. > **Note:** This image does not contain IntelliJ. For an example of how to > install IntelliJ, see [enterprise-intellij](../../deprecated/intellij/README.md) diff --git a/images/java/ubuntu.Dockerfile b/images/java/ubuntu.Dockerfile index baa7a3c..f3e01ef 100644 --- a/images/java/ubuntu.Dockerfile +++ b/images/java/ubuntu.Dockerfile @@ -1,4 +1,4 @@ -FROM codercom/enterprise-base:ubuntu +FROM codercom/example-base:ubuntu # Run everything as root USER root diff --git a/images/minimal/README.md b/images/minimal/README.md index aad0f50..19e6810 100644 --- a/images/minimal/README.md +++ b/images/minimal/README.md @@ -1,4 +1,6 @@ -# Minimal Image +# Example Minimal + +[![Docker Pulls](https://img.shields.io/docker/pulls/codercom/example-minimal?label=codercom%2Fexample-minimal)](https://hub.docker.com/r/codercom/example-minimal) This image only contains the bare necessities: diff --git a/images/node/README.md b/images/node/README.md index b7da053..e61381a 100644 --- a/images/node/README.md +++ b/images/node/README.md @@ -1,10 +1,10 @@ # Node -[![Docker Pulls](https://img.shields.io/docker/pulls/codercom/enterprise-node?label=codercom%2Fenterprise-node)](https://hub.docker.com/r/codercom/enterprise-node) +[![Docker Pulls](https://img.shields.io/docker/pulls/codercom/example-node?label=codercom%2Fexample-node)](https://hub.docker.com/r/codercom/example-node) ## Description -Wraps [enterprise-base](../base/README.md) with the basics for Node development. +Wraps [example-base](../base/README.md) with the basics for Node development. ## How To Use diff --git a/images/node/ubuntu.Dockerfile b/images/node/ubuntu.Dockerfile index b466aca..a4d28fa 100644 --- a/images/node/ubuntu.Dockerfile +++ b/images/node/ubuntu.Dockerfile @@ -1,4 +1,4 @@ -FROM codercom/enterprise-base:ubuntu +FROM codercom/example-base:ubuntu # Run everything as root USER root diff --git a/scripts/scan_images.sh b/scripts/scan_images.sh index 2b70629..33a83e9 100755 --- a/scripts/scan_images.sh +++ b/scripts/scan_images.sh @@ -103,19 +103,14 @@ trivy_tmp_dir="$(mktemp -d -p "$PROJECT_ROOT")" trap 'rm -rf "$tmp_dir" "$trivy_tmp_dir"' EXIT -PREFIXES=("example" "enterprise") - +# Scan both example and enterprise images for image in "${IMAGES[@]}"; do - for prefix in "${PREFIXES[@]}"; do - image_ref="codercom/${prefix}-${image}:${TAG}" - image_name="${prefix}-${image}-${TAG}" - output="${tmp_dir}/${prefix}-${image}-${TAG}.sarif" - - if ! docker image inspect "$image_ref" >/dev/null 2>&1; then - echo "Image '$image_ref' does not exist locally; skipping" >&2 - continue - fi + # Process example images (primary) + example_image_ref="codercom/example-${image}:${TAG}" + example_image_name="example-${image}-${TAG}" + example_output="${tmp_dir}/example-${image}-${TAG}.sarif" + if docker image inspect "$example_image_ref" >/dev/null 2>&1; then old_tmpdir="${TMPDIR:-}" export TMPDIR="$trivy_tmp_dir" @@ -124,9 +119,9 @@ for image in "${IMAGES[@]}"; do run_trace $DRY_RUN trivy image \ --severity CRITICAL,HIGH \ --format sarif \ - --output "$output" \ + --output "$example_output" \ --timeout 15m0s \ - "$image_ref" 2>&1 | indent + "$example_image_ref" 2>&1 | indent if [ "$old_tmpdir" = "" ]; then unset TMPDIR @@ -134,31 +129,77 @@ for image in "${IMAGES[@]}"; do export TMPDIR="$old_tmpdir" fi - if [ $DRY_RUN = true ]; then - continue + if [ $DRY_RUN = false ] && [ -f "$example_output" ]; then + # Do substitutions to add extra details to every message. Without these + # substitutions, most messages won't have any information about which image + # the vulnerability was found in. + jq \ + ".runs[].tool.driver.name |= \"Trivy ${example_image_name}\"" \ + "$example_output" >"$example_output.tmp" + mv "$example_output.tmp" "$example_output" + jq \ + ".runs[].results[].locations[].physicalLocation.artifactLocation.uri |= \"${example_image_name}/\" + ." \ + "$example_output" >"$example_output.tmp" + mv "$example_output.tmp" "$example_output" + jq \ + ".runs[].results[].locations[].message.text |= \"${example_image_name}: \" + ." \ + "$example_output" >"$example_output.tmp" + mv "$example_output.tmp" "$example_output" + elif [ $DRY_RUN = false ]; then + echo "No SARIF output found for image '$example_image_ref' at '$example_output'" >&2 + exit 1 fi + else + echo "Image '$example_image_ref' does not exist locally; skipping" >&2 + fi - if [ ! -f "$output" ]; then - echo "No SARIF output found for image '$image_ref' at '$output'" >&2 - exit 1 + # Process enterprise images (alias) + enterprise_image_ref="codercom/enterprise-${image}:${TAG}" + enterprise_image_name="enterprise-${image}-${TAG}" + enterprise_output="${tmp_dir}/enterprise-${image}-${TAG}.sarif" + + if docker image inspect "$enterprise_image_ref" >/dev/null 2>&1; then + old_tmpdir="${TMPDIR:-}" + export TMPDIR="$trivy_tmp_dir" + + # The timeout is set to 15 minutes because in Java images it can take a while + # to scan JAR files for vulnerabilities. + run_trace $DRY_RUN trivy image \ + --severity CRITICAL,HIGH \ + --format sarif \ + --output "$enterprise_output" \ + --timeout 15m0s \ + "$enterprise_image_ref" 2>&1 | indent + + if [ "$old_tmpdir" = "" ]; then + unset TMPDIR + else + export TMPDIR="$old_tmpdir" fi - # Do substitutions to add extra details to every message. Without these - # substitutions, most messages won't have any information about which image - # the vulnerability was found in. - jq \ - ".runs[].tool.driver.name |= \"Trivy ${image_name}\"" \ - "$output" >"$output.tmp" - mv "$output.tmp" "$output" - jq \ - ".runs[].results[].locations[].physicalLocation.artifactLocation.uri |= \"${image_name}/\" + ." \ - "$output" >"$output.tmp" - mv "$output.tmp" "$output" - jq \ - ".runs[].results[].locations[].message.text |= \"${image_name}: \" + ." \ - "$output" >"$output.tmp" - mv "$output.tmp" "$output" - done + if [ $DRY_RUN = false ] && [ -f "$enterprise_output" ]; then + # Do substitutions to add extra details to every message. Without these + # substitutions, most messages won't have any information about which image + # the vulnerability was found in. + jq \ + ".runs[].tool.driver.name |= \"Trivy ${enterprise_image_name}\"" \ + "$enterprise_output" >"$enterprise_output.tmp" + mv "$enterprise_output.tmp" "$enterprise_output" + jq \ + ".runs[].results[].locations[].physicalLocation.artifactLocation.uri |= \"${enterprise_image_name}/\" + ." \ + "$enterprise_output" >"$enterprise_output.tmp" + mv "$enterprise_output.tmp" "$enterprise_output" + jq \ + ".runs[].results[].locations[].message.text |= \"${enterprise_image_name}: \" + ." \ + "$enterprise_output" >"$enterprise_output.tmp" + mv "$enterprise_output.tmp" "$enterprise_output" + elif [ $DRY_RUN = false ]; then + echo "No SARIF output found for image '$enterprise_image_ref' at '$enterprise_output'" >&2 + exit 1 + fi + else + echo "Image '$enterprise_image_ref' does not exist locally; skipping" >&2 + fi done # Merge all SARIF files into one.