forked from semgrep/semgrep
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
96 lines (78 loc) · 3.22 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#
# First, build a *static* 'semgrep-core' binary on Alpine because it comes set
# up for it (requires using musl rather than glibc).
#
# Then 'semgrep-core' alone is copied to a container which takes care
# of the 'semgrep-python' wrapping.
#
# The docker base image below in the FROM currently uses OCaml 4.12.0
# See https://github.com/returntocorp/ocaml-layer/blob/master/configs/alpine.sh
#
# coupling: if you modify the OCaml version there, you probably also need
# to modify:
# - scripts/osx-release.sh
# - doc/SEMGREP_CORE_CONTRIBUTING.md
# - https://github.com/Homebrew/homebrew-core/blob/master/Formula/semgrep.rb
# Note that many .github/workflows/ use returntocorp/ocaml:alpine, which should
# be the latest, but may differ from this one.
FROM returntocorp/ocaml:alpine-2021-07-15 as build-semgrep-core
USER root
# for ocaml-pcre now used in semgrep-core
RUN apk add --no-cache pcre-dev
USER user
WORKDIR /home/user
COPY --chown=user .gitmodules /semgrep/.gitmodules
COPY --chown=user .git/ /semgrep/.git/
COPY --chown=user semgrep-core/ /semgrep/semgrep-core/
COPY --chown=user scripts /semgrep/scripts
WORKDIR /semgrep
# Protect against dirty environment during development.
# (ideally, we should translate .gitignore to .dockerignore)
RUN git clean -dfX
RUN git submodule foreach --recursive git clean -dfX
RUN git submodule update --init --recursive --depth 1
#coupling: if you add dependencies here, you probably also need to update:
# - scripts/install-alpine-semgrep-core
# - the setup target in Makefile
RUN eval "$(opam env)" && ./scripts/install-tree-sitter-runtime
RUN eval "$(opam env)" && opam install --deps-only -y semgrep-core/src/pfff/
RUN eval "$(opam env)" && opam install --deps-only -y semgrep-core/src/ocaml-tree-sitter-core
RUN eval "$(opam env)" && opam install --deps-only -y semgrep-core/
RUN eval "$(opam env)" && make -C semgrep-core/ all
# Sanity checks
RUN test -x ./semgrep-core/_build/install/default/bin/spacegrep
RUN ./semgrep-core/_build/install/default/bin/semgrep-core -version
#
# We change container, bringing only the 'semgrep-core' binary with us.
#
FROM python:3.9.1-alpine3.13
LABEL maintainer="[email protected]"
# ugly: circle CI requires valid git and ssh programs in the container
# when running semgrep on a repository containing submodules
RUN apk add --no-cache git openssh
COPY --from=build-semgrep-core \
/semgrep/semgrep-core/_build/install/default/bin/semgrep-core /usr/local/bin/semgrep-core
RUN semgrep-core -version
#TODO: once we always use semgrep-core to run a rule, we can delete spacegrep
COPY --from=build-semgrep-core \
/semgrep/semgrep-core/_build/install/default/bin/spacegrep \
/usr/local/bin/spacegrep
RUN ln -sf spacegrep /usr/local/bin/spacecat
COPY semgrep /semgrep
RUN SEMGREP_SKIP_BIN=true python -m pip install /semgrep
RUN semgrep --version
RUN mkdir -p /src
RUN chmod 777 /src
RUN mkdir -p /tmp/.cache
RUN chmod 777 /tmp/.cache
# Let the user know how their container was built
COPY dockerfiles/semgrep.Dockerfile /Dockerfile
RUN adduser -D -u 1000 semgrep
USER 1000
ENV SEMGREP_IN_DOCKER=1
ENV SEMGREP_VERSION_CACHE_PATH=/tmp/.cache/semgrep_version
ENV SEMGREP_USER_AGENT_APPEND="(Docker)"
ENV PYTHONIOENCODING=utf8
ENV PYTHONUNBUFFERED=1
ENTRYPOINT ["semgrep"]
CMD ["--help"]