Allow to run Guideline_Enforcer #147
Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
cedelavergne-ledger
force-pushed
the
cev/rule_enforcer
branch
from
7a0edfb
to
faeb44c
Compare
cedelavergne-ledger
force-pushed
the
cev/rule_enforcer
branch
from
faeb44c
to
9e273e7
Compare
|
@cedelavergne-ledger shouldn't the It seems to me the script is tightly linked to the workflows |
No, because for the VSCode extension, we need a simple and straight forward method, ideally based on a script: The final usage, with the extension, will be to open the |
cedelavergne-ledger
force-pushed
the
cev/rule_enforcer
branch
from
9e273e7
to
ed6294d
Compare
![ledger-wiz-cspm-secret-detection[bot]](https://avatars.githubusercontent.com/u/9784193?s=60&v=4){kind=small}
| @@ -19,5 +19,11 @@ ARG PYTHON_BUILD_DEPS=libffi-dev,python3-dev,py3-virtualenv | |||
| # Install the building dependencies. | |||
| RUN apk add $(echo -n "$PYTHON_BUILD_DEPS" | tr , ' ') | |||
|
|
|||
| # Install packahes to allow Guideline Enforcer to run | |||
| RUN apk add imagemagick grep | |||
There was a problem hiding this comment.
Details
| Rule | Unpinned Package Version in Apk Add |
| Rule ID | 9b55ae16-9e49-41dc-885f-a59ee0bb54bd |
| Severity | |
| Resource | FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{RUN apk add imagemagick grep}} |
Details
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Expected: RUN instruction with 'apk add ' should use package pinning form 'apk add =' Found: RUN instruction apk add imagemagick grep does not use package pinning form
| RUN pip3 install --no-cache-dir "ragger[tests,all_backends]==1.24.0" "speculos==0.10.0" | ||
|
|
||
| # Add the enforcer script | ||
| ADD ./dev-tools/enforcer.sh /opt/enforcer.sh |
There was a problem hiding this comment.
Details
| Rule | Add Instead of Copy |
| Rule ID | d3b26264-01d2-4c17-aa13-e056403caf7a |
| Severity | |
| Resource | FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{ADD ./dev-tools/enforcer.sh /opt/enforcer.sh}} |
Details
Should use COPY instead of ADD unless, running a tar file
Expected: 'COPY' ./dev-tools/enforcer.sh Found: 'ADD' ./dev-tools/enforcer.sh
| @@ -19,5 +19,11 @@ ARG PYTHON_BUILD_DEPS=libffi-dev,python3-dev,py3-virtualenv | |||
| # Install the building dependencies. | |||
| RUN apk add $(echo -n "$PYTHON_BUILD_DEPS" | tr , ' ') | |||
|
|
|||
| # Install packahes to allow Guideline Enforcer to run | |||
| RUN apk add imagemagick grep | |||
There was a problem hiding this comment.
Details
| Rule | Unpinned Package Version in Apk Add |
| Rule ID | 9b55ae16-9e49-41dc-885f-a59ee0bb54bd |
| Severity | |
| Resource | FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{RUN apk add imagemagick grep}} |
Details
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Expected: RUN instruction with 'apk add ' should use package pinning form 'apk add =' Found: RUN instruction apk add imagemagick grep does not use package pinning form
| RUN pip3 install --no-cache-dir "ragger[tests,all_backends]==1.24.0" "speculos==0.10.0" | ||
|
|
||
| # Add the enforcer script | ||
| ADD ./dev-tools/enforcer.sh /opt/enforcer.sh |
There was a problem hiding this comment.
Details
| Rule | Add Instead of Copy |
| Rule ID | d3b26264-01d2-4c17-aa13-e056403caf7a |
| Severity | |
| Resource | FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{ADD ./dev-tools/enforcer.sh /opt/enforcer.sh}} |
Details
Should use COPY instead of ADD unless, running a tar file
Expected: 'COPY' ./dev-tools/enforcer.sh Found: 'ADD' ./dev-tools/enforcer.sh
Add script allowing to call the Guideline Enforcer checks from
ledger-app-workflowsrepository.Add missing packages in the container
Bump Speculos & Ragger to their latest version