Skip to main content

Docker

This article shows you how to integrate Qwiet preZero into your Docker workflow to provide automated code analysis.

Prerequisites

This tutorial assumes that you have:

Authentication information

You must provide authentication information for Qwiet to your container via your Dockerfile. When running in a production environment, we recommend using a CI token as your access token; you can create a CI token in the Qwiet Dashboard and provide it using the SHIFTLEFT_ACCESS_TOKEN environment variable.

Integrating preZero with Docker

We offer a sample image accompanying this article on Docker Hub, as well as an image for devices built on ARM64 architecture.

The following Dockerfile demonstrates how you can integrate Qwiet preZero to scan applications written in Java, JavaScript/TypeScript, Go, and/or Python:

FROM ubuntu:20.04 as builder

ARG CLI_VERSION
ARG BUILD_DATE

ENV SHIFTLEFT_HOME=/opt/sl-cli \
    PYTHONUNBUFFERED=1 \
    DEBIAN_FRONTEND=noninteractive \
    GOPATH=/opt/app-root/go \
    GO_VERSION=1.17.8 \
    PATH=${PATH}:/opt/sl-cli:${GOPATH}/bin:/usr/local/go/bin:

LABEL maintainer="ShiftLeftSecurity" \
      org.label-schema.schema-version="1.0" \
      org.label-schema.vendor="shiftleft" \
      org.label-schema.name="scan-base" \
      org.label-schema.version=$CLI_VERSION \
      org.label-schema.license="MIT" \
      org.label-schema.description="Docker image for Qwiet Core analysis" \
      org.label-schema.url="https://www.shiftleft.io" \
      org.label-schema.usage="https://github.com/ShiftLeftSecurity/scan-base" \
      org.label-schema.build-date=$BUILD_DATE \
      org.label-schema.vcs-url="https://github.com/ShiftLeftSecurity/scan-base.git" \
      org.label-schema.docker.cmd="docker run --rm -it --name slcore shiftleft/core /bin/bash"

USER root

RUN mkdir -p /opt/sl-cli && apt update -y \
    && apt install --no-install-recommends -y jq curl wget zip unzip openjdk-8-jdk \
      build-essential python3.8 python3.8-dev python3-setuptools python3-pip python3.8-venv git maven gradle \
    && curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
    && apt install -y nodejs \
    && curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /usr/share/keyrings/yarnkey.gpg >/dev/null \
    && echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | tee /etc/apt/sources.list.d/yarn.list \
    && apt update && apt install -y yarn \
    && npm install -g @appthreat/cdxgen \
    && curl -LO "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" \
    && tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz \
    && rm go${GO_VERSION}.linux-amd64.tar.gz \
    && curl "https://cdn.shiftleft.io/download/sl" > /usr/local/bin/sl \
    && chmod a+rx /usr/local/bin/sl \
    && /usr/local/bin/sl update js2cpg \
    && /usr/local/bin/sl update java2cpg \
    && /usr/local/bin/sl update py2cpg \
    && /usr/local/bin/sl update go2cpg \
    && python3 -m pip install --no-cache-dir install shiftleft-scan-reports \
    && rm -rf /var/lib/apt/lists/*

Parameters:

ParameterDescription
-e SHIFTLEFT_ACCESS_TOKENThe CI token that grants access to Qwiet resources; you can create a CI token
/appThe directory where Qwiet should be invoked; for Java apps, provide the path to the JAR/WAR (e.g., /app/target/helloQwiet.jar)
-v $PWD:/appThe present directory mounted inside the Docker container as /app
-v /tmp:/tmpThe tmp directory; some of Qwiet preZero's tools look for the tmp directory, and the code analysis fails if it can't locate the directory

Running the code analysis

A sample invocation of sl analyze looks something like the following:

docker run --rm -it --name slcore \
  -e SHIFTLEFT_ACCESS_TOKEN \
  -v $PWD:/app -v /tmp:/tmp \
  shiftleft/core \
  sl analyze --java --cpg /app/target/helloshiftleft.jar

# Windows users only
docker run --rm -it --name slcore \
  -e SHIFTLEFT_ACCESS_TOKEN \
  -v %cd%:/app -v /tmp:/tmp \
  shiftleft/core \
  sl analyze --java --cpg /app/target/helloshiftleft.jar