KNEL/TSYSDevStack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement toolbox-qadocker for Docker image auditing and QA

Browse Source 
- Create specialized toolbox container for auditing Docker images and related files
- Include essential QA tools: Hadolint, Dive, ShellCheck, Trivy, Dockle, Docker client, Node.js
- Implement comprehensive build, run, release, and test scripts
- Add detailed documentation with usage examples
- Ensure all tools work correctly within the container
- Rename directory from toolbox-QADocker to toolbox-qadocker for consistency
- Update QWEN.md with comprehensive QA workflow using toolbox-qadocker
- Add mandatory pre-build audit process using QA tools
- Add validation process for testing from inside container environment
- Add comprehensive testing to verify all tools are working
- Optimize Dockerfile for best practices and security
- Ensure container runs as non-root user for security
- Add release script for versioned releases to registry
- Add test script to verify all tools are working correctly
This commit is contained in:
Charles N Wyble - admin
2025-10-31 15:53:38 -05:00
parent 3ec443eef8
commit 124d51ebff
14 changed files with 680 additions and 431 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ToolboxStack/output/toolbox-qadocker/.hadolint.yaml
View File

@@ -1,10 +0,0 @@
ignored:
- DL3008 # Pin versions in apt get install - we want latest packages for a QA image
- DL3009 # Delete apt lists - already done in same RUN statement
- DL4006 # Set SHELL option - not needed for this container
- DL3016 # Pin npm versions - not critical for this QA container
trustedRegistries:
- docker.io
- gcr.io
- quay.io

88
ToolboxStack/output/toolbox-qadocker/Dockerfile
View File

@@ -2,73 +2,67 @@ FROM ubuntu:24.04
# Prevent interactive prompts during package installation
ENV DEBIAN_FRONTEND=noninteractive
ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn
# Update package lists and install basic tools
# Install dependencies needed for tools
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
curl \
wget \
git \
unzip \
ca-certificates \
gnupg \
lsb-release \
xz-utils \
software-properties-common \
&& rm -rf /var/lib/apt/lists/*
# Create a non-root user for running tools
RUN groupadd -r qadocker && useradd -r -g qadocker -m -s /bin/bash qadocker
# Install Hadolint for Dockerfile linting
RUN curl -sL https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint \
&& chmod 755 /usr/local/bin/hadolint
# Install Hadolint
RUN wget -q -O /usr/local/bin/hadolint \
https://github.com/hadolint/hadolint/releases/latest/download/hadolint-$(uname -s)-$(uname -m) && \
chmod +x /usr/local/bin/hadolint
# Install ShellCheck for shell script linting
RUN curl -sL https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.linux.x86_64.tar.xz -o /tmp/shellcheck.tar.xz \
&& tar -xJf /tmp/shellcheck.tar.xz -C /tmp \
&& cp /tmp/shellcheck-*/shellcheck /usr/local/bin/ \
&& rm -rf /tmp/shellcheck*
# Install Docker client
RUN curl -sL https://download.docker.com/linux/static/stable/x86_64/docker-24.0.7.tgz -o /tmp/docker.tgz \
&& tar -xzf /tmp/docker.tgz -C /tmp \
&& cp /tmp/docker/* /usr/local/bin/ \
&& rm -rf /tmp/docker*
# Install Dive for Docker image analysis
RUN curl -sL https://github.com/wagoodman/dive/releases/download/v0.11.0/dive_0.11.0_linux_amd64.deb -o /tmp/dive.deb \
&& apt-get update && apt-get install -y --no-install-recommends /tmp/dive.deb \
&& rm /tmp/dive.deb
# Install additional auditing tools
RUN curl -sL https://github.com/aquasecurity/trivy/releases/download/v0.67.2/trivy_0.67.2_Linux-64bit.tar.gz -o /tmp/trivy.tar.gz \
&& tar -xzf /tmp/trivy.tar.gz -C /tmp \
&& cp /tmp/trivy /usr/local/bin/trivy \
&& rm -rf /tmp/trivy*
# Install Dockerfile optimization and analysis tools
RUN curl -sL https://github.com/moby/buildkit/releases/download/v0.11.0/buildkit-v0.11.0.linux-amd64.tar.gz -o /tmp/buildkit.tar.gz \
&& tar -xzf /tmp/buildkit.tar.gz -C /tmp \
&& find /tmp -name buildctl -exec cp {} /usr/local/bin/ \; \
&& find /tmp -name buildkitd -exec cp {} /usr/local/bin/ \; \
&& rm -rf /tmp/buildkit*
# Install Node.js to run additional linting tools
RUN curl -sL https://deb.nodesource.com/setup_18.x | bash - && \
apt-get update && apt-get install -y --no-install-recommends nodejs && \
# Install Dive
RUN wget -q -O /tmp/dive_0.10.0_linux_amd64.deb \
https://github.com/wagoodman/dive/releases/download/v0.10.0/dive_0.10.0_linux_amd64.deb && \
apt-get update && apt-get install -y --no-install-recommends /tmp/dive_0.10.0_linux_amd64.deb && \
rm /tmp/dive_0.10.0_linux_amd64.deb && \
rm -rf /var/lib/apt/lists/*
# Install dockerlint for additional Dockerfile checking
RUN npm install -g dockerlint
# Install ShellCheck
RUN apt-get update && apt-get install -y --no-install-recommends shellcheck && \
rm -rf /var/lib/apt/lists/*
# Set working directory
WORKDIR /workspace
# Install Trivy (vulnerability scanner)
RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg && \
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list && \
apt-get update && \
apt-get install -y trivy && \
rm -rf /var/lib/apt/lists/*
# Change ownership of workspace directory to qadocker user
RUN chown -R qadocker:qadocker /workspace
# Install Dockle (container linter)
RUN wget -q -O dockle_0.4.5_linux_amd64.deb \
https://github.com/goodwithtech/dockle/releases/download/v0.4.5/dockle_0.4.5_Linux-64bit.deb && \
apt-get update && apt-get install -y --no-install-recommends ./dockle_0.4.5_linux_amd64.deb && \
rm dockle_0.4.5_linux_amd64.deb && \
rm -rf /var/lib/apt/lists/*
# Install Docker client
RUN curl -fsSL https://get.docker.com -o get-docker.sh && \
sh get-docker.sh && \
rm get-docker.sh
# Install Node.js (may be needed for some tools)
RUN curl -fsSL https://deb.nodesource.com/setup_lts | bash - && \
apt-get install -y --no-install-recommends nodejs && \
rm -rf /var/lib/apt/lists/*
# Ensure non-root user has proper permissions for Docker socket if needed
# This should be handled at runtime via volume mounting
# Switch to non-root user
USER qadocker
WORKDIR /home/qadocker
# Set default command
CMD ["/bin/bash"]

48
ToolboxStack/output/toolbox-qadocker/PROMPT
View File

@@ -1,48 +0,0 @@
# Prompt for AI Agents: Toolbox-QADocker
You are working with the Toolbox-QADocker, a specialized container for Docker image auditing and quality assurance. This image is designed to audit other Docker images, including the base and custom toolboxes in the TSYSDevStack ecosystem.
## Purpose
- Perform security and best practice audits of Docker images
- Validate Dockerfiles using Hadolint
- Check shell scripts using ShellCheck
- Scan for vulnerabilities using Trivy
- Analyze Docker image layers using Dive
## Available Tools
- `hadolint` - Dockerfile linter
- `shellcheck` - Shell script linter
- `trivy` - Vulnerability scanner
- `dive` - Docker image layer analyzer
- `docker` - Docker client (for inspecting images)
- `buildctl` - BuildKit client
## Important Notes
- This image does NOT inherit from toolbox-base (unlike other toolboxes)
- It runs as a non-root user `qadocker` by default for security
- It's optimized for fast rebuilds and audits
- Use this image to validate your Dockerfiles and shell scripts
## Working Directory
- Default workdir is `/workspace`
- Mount your code to this directory for analysis
- Results are typically output to the console
## Common Tasks
1. Lint a Dockerfile: `hadolint --config .hadolint.yaml Dockerfile`
2. Check a shell script: `shellcheck script.sh`
3. Scan for vulnerabilities: `trivy fs --offline-scan .`
4. Analyze image layers: Use dive when inspecting built images
## Security Practices
- Avoid running as root unless absolutely necessary
- Use the non-root `qadocker` user for all standard operations
- When mounting volumes, ensure they have appropriate permissions
## QA Process
- After making changes to Dockerfiles, always run Hadolint
- Check shell scripts with ShellCheck
- Consider running Trivy on your codebase
- Verify your Dockerfile follows best practices
Use this toolbox to ensure all Docker images in the TSYSDevStack ecosystem meet quality and security standards.

265
ToolboxStack/output/toolbox-qadocker/README.md
View File

@@ -1,139 +1,172 @@
# 🔍 Toolbox-QADocker
# toolbox-qadocker
> **Docker Image Auditing & Quality Assurance**
This is a specialized toolbox container for performing audit and quality assurance work on Docker images and related files in the TSYSDevStack project. It includes essential tools for Dockerfile linting, shell script validation, container auditing, and security scanning.
Toolbox-QADocker is a specialized Docker image designed for auditing and quality assurance of Docker images and related files. It serves as the bootstrap image that audits the toolbox-base and other custom toolboxes in the TSYSDevStack ecosystem.
## 🛠️ Included Tools
---
- **[Hadolint](https://github.com/hadolint/hadolint)**: A Dockerfile linter that checks for best practices
- **[Dive](https://github.com/wagoodman/dive)**: Tool to explore layers in Docker images
- **[ShellCheck](https://www.shellcheck.net/)**: Static analysis tool for shell scripts
- **[Trivy](https://github.com/aquasecurity/trivy)**: Comprehensive vulnerability scanner for containers
- **[Dockle](https://github.com/goodwithtech/dockle)**: Container image linter for security best practices
- **Docker Client**: Command-line interface for Docker
- **Node.js**: JavaScript runtime for additional tooling
## 🚀 Quick Start
### Build the Image
```bash
# Build with default 'dev' tag
./build.sh
# Build with a specific tag
./build.sh --tag mytag
```
### Run the Container
```bash
# Run interactively with current directory mounted
./run.sh
# Run with Docker socket access (to use Docker from inside container)
./run.sh --with-docker
# Run with a specific tag
./run.sh --tag mytag
```
### Release (Push to Registry)
```bash
# Build and push with version tag (requires clean git tree)
./release.sh --version v0.1.0
# Build and push with version tag (allowing dirty git tree)
./release.sh --version v0.1.0 --allow-dirty
# Dry run to test the process without actually pushing
./release.sh --version v0.1.0 --dry-run
```
## 🔍 Using QA Tools
### Hadolint - Dockerfile Linting
```bash
# Lint a Dockerfile
docker run --rm -i hadolint/hadolint < Dockerfile
# Or when using the toolbox container with current directory mounted:
hadolint Dockerfile
```
### ShellCheck - Shell Script Analysis
```bash
# Analyze a shell script
shellcheck myscript.sh
# Or when using the toolbox container:
shellcheck /workspace/myscript.sh
```
### Dive - Analyze Docker Image Layers
```bash
# Analyze an image
dive myimage:tag
```
### Trivy - Vulnerability Scanning
```bash
# Scan a container image for vulnerabilities
trivy image myimage:tag
# Scan the current directory for vulnerabilities
trivy fs .
```
### Dockle - Container Image Linting
```bash
# Lint a container image
dockle myimage:tag
# Or run on current directory
dockle .
```
## 🏗️ Project Context
The toolbox-qadocker is designed to be a minimal, fast-to-rebuild image specifically for auditing and validating Docker images and related files in the TSYSDevStack ecosystem. Unlike other toolboxes, it does not inherit from `toolbox-base` and instead uses a clean Ubuntu base with only the essential QA tools installed.
## 🎯 Purpose
| 🧰 Feature | 📋 Description |
|------------|----------------|
| 🔍 **Docker Image Auditing** | Equipped with tools like Hadolint, Dive, and Trivy for comprehensive Docker image analysis |
| 📜 **Shell Script Validation** | Includes ShellCheck for validating shell scripts |
| 🔁 **Bootstrap Tool** | Used to audit the base and other custom toolboxes during development |
| ⚡ **Quick Rebuilds** | Designed to be minimal and quick to rebuild when needed |
- Audit Dockerfiles for best practices and security issues
- Validate shell scripts with ShellCheck
- Analyze Docker image layers with Dive
- Scan for vulnerabilities with Trivy
- Check image security with Dockle
- Support AI CLI agents in container image creation
---
## 📁 Directory Structure
## 🛠️ Tools Included
- `Dockerfile`: Defines the container image
- `build.sh`: Builds the container image
- `run.sh`: Runs the container with appropriate settings
- `release.sh`: Builds and pushes container images with multiple tags
- `test.sh`: Test script to verify all tools are working
| 🛠️ Tool | 📝 Description |
|---------|----------------|
| 🐳 **[Hadolint](https://github.com/hadolint/hadolint)** | Dockerfile linter that checks for best practices |
| 🐚 **[ShellCheck](https://www.shellcheck.net/)** | Static analysis tool for shell scripts |
| 🛡️ **[Trivy](https://github.com/aquasecurity/trivy)** | Comprehensive vulnerability scanner for containers |
| 🐳 **Docker Client** | Command-line interface for Docker |
| 🔍 **[Dive](https://github.com/wagoodman/dive)** | Tool to explore layers in Docker images |
| 🏗️ **Buildctl** | BuildKit client for advanced builds |
| 🐳 **[Dockerlint](https://github.com/RedCoolBeans/dockerlint)** | Additional Dockerfile linter |
| 🟨 **[Node.js](https://nodejs.org/)** | JavaScript runtime for additional tooling |
## 🛡️ Security
---
- Runs as a non-root user (`qadocker`) by default
- Contains only essential tools needed for QA work
- Designed to be minimal and fast to rebuild if security issues are discovered
## 📊 Image Details
## 🧪 Testing
| 🧩 Aspect | 📌 Value |
|-----------|----------|
| 🏗️ **Base Image** | Ubuntu 24.04 |
| 🔐 **Foundation** | Does NOT use the toolbox-base as foundation (unlike other toolboxes) |
| 👤 **Non-Root User** | Contains a non-root user `qadocker` for security |
| ⚡ **Optimization** | Optimized for fast rebuilds and audits |
To verify that all tools are working correctly in the container:
---
## 🚀 Usage
### 🏗️ Build the Image
```bash
./build.sh
# Run the test script to verify all tools
./test.sh
# Or run the test script inside the container
docker run --rm -v $(pwd)/test.sh:/test.sh tsysdevstack-toolboxstack-toolbox-qadocker:dev bash /test.sh
```
### 🖥️ Run the Container Interactively
## 🔍 Dockerfile QA
You can use this toolbox to check Dockerfiles for best practices using Hadolint:
```bash
./run.sh
# Run Hadolint on a Dockerfile
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint Dockerfile
# Run ShellCheck on shell scripts
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck your_script.sh
# Run Trivy for vulnerability scanning
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev trivy fs --offline-scan .
# Run Dockle for container image linter
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev dockle .
```
### 🐳 Run Directly with Docker
```bash
docker run -it --rm \
-v "$(pwd)":/workspace \
-w /workspace \
tsysdevstack-toolboxstack-toolbox-qadocker:dev \
bash
```
## 📝 Dockerfile Compliance
### 🔍 Run QA on a Dockerfile
```bash
docker run --rm -v /path/to/project:/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint --config .hadolint.yaml Dockerfile
```
The Dockerfile is designed to meet Docker best practices and security standards. It has been optimized to:
### 🐚 Run QA on Shell Scripts
```bash
docker run --rm -v /path/to/project:/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck script.sh
```
- Use minimal base image (Ubuntu 24.04)
- Install packages with `--no-install-recommends` to reduce bloat
- Download packages with quiet mode to reduce output
- Create a non-root user for running tools
- Follow security best practices for container images
- Comply with Hadolint and Dockle recommendations where possible
### 📊 Run Comprehensive Audit
```bash
# Using the custom audit script
docker run --rm -v /path/to/project:/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev bash -c "./audit-dockerfile.sh Dockerfile"
```
## 📝 License
---
## 👤 Non-Root User
- 🏃‍♂️ The container runs as the `qadocker` user by default
- 🛡️ For security purposes, this reduces attack surface
- 🧑‍💻 If you need root access, run the container with `--user root`
---
## 🔒 Security
| 🔒 Security Aspect | 📋 Details |
|-------------------|------------|
| 🛡️ **Best Practices** | Built with security best practices in mind |
| 🔓 **Attack Surface** | Minimal attack surface |
| 👤 **User Privileges** | Non-root user for running tools |
| 🛡️ **Scanning** | Regular security scanning with Trivy |
---
## 🛠️ Development
- 🧩 This image is designed to be simple to modify and rebuild
- 🧱 The Dockerfile contains all necessary tool installations
- 🚀 Optimized for caching and build speed
- 🧪 Includes custom audit scripts for Dockerfile best practices
---
## 🔍 QA Process
| ✅ QA Step | 📝 Description |
|------------|----------------|
| 🐳 **Hadolint Validation** | Validating the Dockerfile with Hadolint |
| 🐚 **ShellCheck** | Checking shell scripts with ShellCheck |
| 🛡️ **Trivy Scan** | Running filesystem scans with Trivy |
| 🧪 **Tool Verification** | Verifying all tools are properly installed |
| 📊 **Custom Audit** | Using custom scripts to check for best practices |
---
## 📈 Audit Capabilities
Toolbox-QADocker excels at identifying:
-**Security Issues**: Common vulnerabilities and misconfigurations
- ⚙️ **Best Practices**: Adherence to Dockerfile best practices
- 🔒 **Root Usage**: Minimizing root operations in Docker builds
- 🚀 **Optimization**: Layer efficiency and image size optimization
- 🛡️ **Configuration Issues**: Potential security misconfigurations
---
## 📄 License
See [LICENSE](../../LICENSE) for full terms.
This project is part of the TSYSDevStack project. See the main LICENSE file in the repository root for details.

96
ToolboxStack/output/toolbox-qadocker/audit-dockerfile.sh
View File

@@ -1,96 +0,0 @@
#!/bin/bash
# Script to audit Dockerfiles for best practices, especially minimal root usage
set -e
echo "Starting Dockerfile audit for best practices..."
if [ -z "$1" ]; then
echo "Usage: $0 <path_to_dockerfile>"
echo "Example: $0 Dockerfile"
exit 1
fi
DOCKERFILE_PATH="$1"
if [ ! -f "$DOCKERFILE_PATH" ]; then
echo "Error: Dockerfile not found at $DOCKERFILE_PATH"
exit 1
fi
echo "Auditing Dockerfile: $DOCKERFILE_PATH"
echo
# Hadolint check
echo "1. Running Hadolint (Dockerfile linter)..."
if command -v hadolint &> /dev/null; then
hadolint --config .hadolint.yaml "$DOCKERFILE_PATH" && echo " ✓ Hadolint passed" || echo " ⚠ Hadolint found issues (as configured to ignore some warnings)"
else
echo " ⚠ Hadolint not found"
fi
echo
# Dockerlint check
echo "2. Running Dockerlint..."
if command -v dockerlint &> /dev/null; then
dockerlint -f "$DOCKERFILE_PATH" && echo " ✓ Dockerlint passed" || echo " ⚠ Dockerlint found issues"
else
echo " ⚠ Dockerlint not found"
fi
echo
# Custom check for minimal root usage
echo "3. Checking for minimal root usage in Dockerfile..."
echo " Looking for operations that should use non-root user..."
# Simple check for RUN commands before USER (implying root operations)
echo " Checking for potential root usage issues..."
BEFORE_USER_SECTION=true
while IFS= read -r line; do
if [[ $line =~ ^USER[[:space:]] ]]; then
BEFORE_USER_SECTION=false
elif [[ $line =~ ^RUN[[:space:]] ]] && [ "$BEFORE_USER_SECTION" = true ]; then
echo " ROOT RUN: $line"
if [[ $line =~ (apt-get|apt|yum|dnf|install|add-apt-repository) ]]; then
echo " ⚠ This RUN command executes as root with package management - consider if this is necessary"
fi
if [[ $line =~ (chmod|chown|useradd|groupadd) ]]; then
echo " ⚠ This RUN command executes as root with system modifications - consider if this is necessary"
fi
fi
done < "$DOCKERFILE_PATH"
echo " Note: For security, try to limit operations as root to only package installs and system setup"
echo " After those operations, switch to a non-root user with USER <username>"
echo
echo "4. Additional security recommendations:"
# Check for non-root user creation
if grep -qE "USER [^0][0-9]*|USER [a-zA-Z]" "$DOCKERFILE_PATH"; then
echo " ✓ Non-root user found in Dockerfile"
else
echo " ⚠ Consider adding a non-root user with 'USER <username>' directive after root operations"
fi
# Check for minimal packages installation
if grep -q "apt-get install\|yum install\|apk add" "$DOCKERFILE_PATH"; then
echo " ✓ Package installation found - ensure using --no-install-recommends (apt) or equivalent"
else
echo " - No package installation found"
fi
# Check for layer optimization
RUN_COUNT=$(grep -c "^RUN " "$DOCKERFILE_PATH")
if [ "$RUN_COUNT" -gt 5 ]; then
echo " ⚠ Multiple ($RUN_COUNT) RUN commands found - consider combining where possible for fewer layers"
fi
echo
echo "Dockerfile audit completed!"
echo
echo "For more detailed analysis, you can also build the image and scan it with:"
echo " trivy image <image_name>"
echo " dive <image_name> # if analyzing built images"

63
ToolboxStack/output/toolbox-qadocker/build.sh
View File

@@ -1,12 +1,69 @@
#!/bin/bash
#!/usr/bin/env bash
# Build script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Default values
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
TAG="dev"
DOCKERFILE_PATH="Dockerfile"
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--tag)
TAG="$2"
shift 2
;;
--file)
DOCKERFILE_PATH="$2"
shift 2
;;
--help)
echo "Usage: $0 [--tag TAG] [--file DOCKERFILE_PATH]"
echo ""
echo "Options:"
echo " --tag TAG Specify the tag for the image (default: dev)"
echo " --file DOCKERFILE_PATH Specify the path to the Dockerfile (default: Dockerfile)"
echo " --help Show this help message"
exit 0
;;
*)
print_error "Unknown option: $1"
exit 1
;;
esac
done
IMAGE_TAGGED_NAME="${IMAGE_NAME}:${TAG}"
print_status "Building ${IMAGE_TAGGED_NAME}"
# Build the Docker image
docker build -t "$IMAGE_NAME:$TAG" .
docker build -t "${IMAGE_TAGGED_NAME}" -f "${DOCKERFILE_PATH}" .
echo "Successfully built $IMAGE_NAME:$TAG"
if [ $? -eq 0 ]; then
print_status "Successfully built ${IMAGE_TAGGED_NAME}"
else
print_error "Failed to build ${IMAGE_TAGGED_NAME}"
exit 1
fi

13
ToolboxStack/output/toolbox-qadocker/docker-compose.yml
View File

@@ -1,13 +0,0 @@
version: '3.8'
services:
qadocker:
build: .
container_name: toolbox-qadocker
volumes:
- .:/workspace
- /var/run/docker.sock:/var/run/docker.sock # Allow Docker-in-Docker if needed
working_dir: /workspace
stdin_open: true
tty: true
command: bash

124
ToolboxStack/output/toolbox-qadocker/release.sh Executable file
View File

@@ -0,0 +1,124 @@
#!/usr/bin/env bash
# Release script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Default values
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
DEV_TAG="dev"
RELEASE_CURRENT_TAG="release-current"
DOCKERFILE_PATH="Dockerfile"
ALLOW_DIRTY=false
DRY_RUN=false
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--version)
VERSION_TAG="$2"
shift 2
;;
--file)
DOCKERFILE_PATH="$2"
shift 2
;;
--allow-dirty)
ALLOW_DIRTY=true
shift
;;
--dry-run)
DRY_RUN=true
shift
;;
--help)
echo "Usage: $0 --version VERSION [--file DOCKERFILE_PATH] [--allow-dirty] [--dry-run]"
echo ""
echo "Options:"
echo " --version VERSION Specify the version tag for the release (required)"
echo " --file DOCKERFILE_PATH Specify the path to the Dockerfile (default: Dockerfile)"
echo " --allow-dirty Allow release from a dirty git tree"
echo " --dry-run Perform a dry run without actually building or pushing"
echo " --help Show this help message"
exit 0
;;
*)
print_error "Unknown option: $1"
exit 1
;;
esac
done
if [[ -z "$VERSION_TAG" ]]; then
print_error "Version tag is required. Use --version to specify it."
exit 1
fi
# Check if git tree is clean (unless --allow-dirty is specified)
if [[ "$ALLOW_DIRTY" == false ]]; then
if [[ -z $(git status --porcelain) ]]; then
print_status "Git tree is clean"
else
print_error "Git tree is not clean. Commit your changes or use --allow-dirty to override."
exit 1
fi
fi
# Determine the build command based on DRY_RUN flag
BUILD_CMD="docker build"
if [[ "$DRY_RUN" == true ]]; then
BUILD_CMD="echo [DRY RUN] Would run: docker build"
fi
# Build the Docker image with all tags
print_status "Building ${IMAGE_NAME} with tags: ${DEV_TAG}, ${RELEASE_CURRENT_TAG}, ${VERSION_TAG}"
$BUILD_CMD -t "${IMAGE_NAME}:${DEV_TAG}" -t "${IMAGE_NAME}:${RELEASE_CURRENT_TAG}" -t "${IMAGE_NAME}:${VERSION_TAG}" -f "${DOCKERFILE_PATH}" .
if [ $? -ne 0 ]; then
print_error "Failed to build the image(s)"
exit 1
fi
if [[ "$DRY_RUN" == false ]]; then
print_status "Successfully built images with tags: ${DEV_TAG}, ${RELEASE_CURRENT_TAG}, ${VERSION_TAG}"
else
print_status "Dry run completed - would have built images with tags: ${DEV_TAG}, ${RELEASE_CURRENT_TAG}, ${VERSION_TAG}"
fi
# Push the images unless in dry run mode
if [[ "$DRY_RUN" == false ]]; then
print_status "Pushing ${IMAGE_NAME}:${DEV_TAG}"
docker push "${IMAGE_NAME}:${DEV_TAG}"
print_status "Pushing ${IMAGE_NAME}:${RELEASE_CURRENT_TAG}"
docker push "${IMAGE_NAME}:${RELEASE_CURRENT_TAG}"
print_status "Pushing ${IMAGE_NAME}:${VERSION_TAG}"
docker push "${IMAGE_NAME}:${VERSION_TAG}"
if [ $? -eq 0 ]; then
print_status "Successfully pushed all images"
else
print_error "Failed to push images"
exit 1
fi
fi

32
ToolboxStack/output/toolbox-qadocker/run-audit.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
# Script to run Dockerfile auditing tools inside the toolbox-qadocker container
set -e
if [ -z "$1" ]; then
echo "Usage: $0 <path_to_dockerfile>"
echo "Example: $0 Dockerfile"
echo "This script mounts the current directory and runs auditing tools inside the container"
exit 1
fi
DOCKERFILE_PATH="$1"
if [ ! -f "$DOCKERFILE_PATH" ]; then
echo "Error: Dockerfile not found at $DOCKERFILE_PATH"
exit 1
fi
echo "Running Dockerfile audit using toolbox-qadocker container..."
echo "Auditing Dockerfile: $DOCKERFILE_PATH"
echo
# Run the audit using the container
docker run --rm \
-v "$(pwd)":/workspace \
-w /workspace \
tsysdevstack-toolboxstack-toolbox-qadocker:dev \
bash -c "./test-qa.sh && echo '' && echo 'Running custom audit script...' && ./audit-dockerfile.sh $DOCKERFILE_PATH"
echo
echo "Audit completed!"

119
ToolboxStack/output/toolbox-qadocker/run.sh Normal file → Executable file
View File

@@ -1,15 +1,118 @@
#!/bin/bash
#!/usr/bin/env bash
# Run script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Default values
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
TAG="dev"
CONTAINER_NAME="tsysdevstack-toolboxstack-toolbox-qadocker-run"
INTERACTIVE=true
TTY=true
MOUNT_CURRENT_DIR=true
DOCKER_SOCKET=false
# Run the Docker container
docker run -it --rm \
-v "$(pwd)":/workspace \
-w /workspace \
--name "toolbox-qadocker-container" \
"$IMAGE_NAME:$TAG" \
"$@"
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--tag)
TAG="$2"
shift 2
;;
--name)
CONTAINER_NAME="$2"
shift 2
;;
--no-tty)
TTY=false
shift
;;
--no-interactive)
INTERACTIVE=false
shift
;;
--no-mount)
MOUNT_CURRENT_DIR=false
shift
;;
--with-docker)
DOCKER_SOCKET=true
shift
;;
--help)
echo "Usage: $0 [--tag TAG] [--name NAME] [--no-tty] [--no-interactive] [--no-mount] [--with-docker]"
echo ""
echo "Options:"
echo " --tag TAG Specify the tag for the image to run (default: dev)"
echo " --name NAME Specify the container name (default: tsysdevstack-toolboxstack-toolbox-qadocker-run)"
echo " --no-tty Disable TTY allocation"
echo " --no-interactive Disable interactive mode"
echo " --no-mount Don't mount current directory to /workspace"
echo " --with-docker Mount Docker socket to use Docker from inside container"
echo " --help Show this help message"
exit 0
;;
*)
print_error "Unknown option: $1"
exit 1
;;
esac
done
IMAGE_TAGGED_NAME="${IMAGE_NAME}:${TAG}"
# Check if the image exists
if ! docker images --format "{{.Repository}}:{{.Tag}}" | grep -q "^${IMAGE_NAME}:${TAG}$"; then
print_error "Image ${IMAGE_TAGGED_NAME} does not exist. Please build it first."
exit 1
fi
# Build docker run command
RUN_CMD="docker run"
if [[ "$INTERACTIVE" == true ]]; then
RUN_CMD="${RUN_CMD} -i"
fi
if [[ "$TTY" == true ]]; then
RUN_CMD="${RUN_CMD} -t"
fi
# Mount current directory to /workspace
if [[ "$MOUNT_CURRENT_DIR" == true ]]; then
RUN_CMD="${RUN_CMD} -v $(pwd):/workspace -w /workspace"
fi
# Mount Docker socket if requested
if [[ "$DOCKER_SOCKET" == true ]]; then
RUN_CMD="${RUN_CMD} -v /var/run/docker.sock:/var/run/docker.sock"
fi
RUN_CMD="${RUN_CMD} --name ${CONTAINER_NAME}"
# Add the image name
RUN_CMD="${RUN_CMD} ${IMAGE_TAGGED_NAME}"
print_status "Running: ${RUN_CMD}"
# Execute the command
eval $RUN_CMD

39
ToolboxStack/output/toolbox-qadocker/test-qa.sh
View File

@@ -1,39 +0,0 @@
#!/bin/bash
# Script to QA the toolbox-qadocker image using the tools inside it
set -e
echo "Starting QA of toolbox-qadocker image..."
# Test 1: Hadolint - Lint the Dockerfile
echo "Testing Dockerfile with Hadolint..."
docker run --rm -i -v "$(pwd)":/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint --config .hadolint.yaml /workspace/Dockerfile
echo "Hadolint check passed!"
# Test 2: ShellCheck - Lint shell scripts
echo "Testing shell scripts with ShellCheck..."
docker run --rm -i -v "$(pwd)":/workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck /workspace/build.sh /workspace/run.sh
echo "ShellCheck passed!"
# Test 3: Trivy - Run a filesystem scan
echo "Testing filesystem with Trivy..."
# Skip downloading DB for this test by using offline mode
docker run --rm -i -v "$(pwd)":/workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev trivy fs --offline-scan /workspace
echo "Trivy scan completed!"
# Test 4: Use the Docker client to check version (skip daemon connection test)
echo "Testing Docker client functionality..."
docker run --rm -i tsysdevstack-toolboxstack-toolbox-qadocker:dev docker version 2>/dev/null || echo "Docker client present (version check failed as expected without daemon)"
echo "Docker client test passed!"
# Test 5: Run the container in interactive mode and check tools
echo "Running interactive test..."
docker run --rm -i tsysdevstack-toolboxstack-toolbox-qadocker:dev bash -c "which hadolint && which shellcheck && which trivy && which docker && which buildctl && which dockerlint"
echo "All tools are properly installed!"
# Test 6: Run dockerlint on a sample Dockerfile
echo "Testing Dockerlint..."
docker run --rm -i -v "$(pwd)":/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev dockerlint Dockerfile
echo "Dockerlint test completed!"
echo "All QA tests completed successfully!"

52
ToolboxStack/output/toolbox-qadocker/test.sh Executable file
View File

@@ -0,0 +1,52 @@
#!/usr/bin/env bash
# Test script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
print_status "Testing all installed QA tools in toolbox-QADocker:"
print_status "1. Testing Hadolint (Dockerfile linter)..."
echo "FROM ubuntu:24.04
RUN apt-get update
RUN apt-get install -y curl" > /tmp/test.Dockerfile
hadolint /tmp/test.Dockerfile || echo "Hadolint found issues (expected in test file)"
print_status "2. Testing ShellCheck (shell script linter)..."
echo '#!/bin/bash
var=hello
echo $var' > /tmp/test.sh
chmod +x /tmp/test.sh
shellcheck /tmp/test.sh || echo "ShellCheck found issues (expected in test file)"
print_status "3. Testing Trivy (vulnerability scanner)..."
trivy --version
print_status "4. Testing Dockle (container linter)..."
dockle --version
print_status "5. Testing Docker client..."
docker --version
print_status "6. Testing Node.js..."
node --version
print_status "All tools are properly installed and functional!"