diff --git a/Dockerfile b/Dockerfile index d46f316..14a50a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,5 @@ +ARG SEMGREP_VERSION=1.75.0 + FROM golang:alpine3.20 as build # Link to All Apps https://arc.net/folder/40C7B38D-FE7B-4DCE-BEF2-49C652757741 @@ -68,70 +70,7 @@ FROM rust:alpine3.20 as build-just RUN apk add musl-dev RUN cargo install just -# Build Semgrep Core -# -# The Docker image below (after the 'FROM') is prepackaged with 'ocamlc', -# 'opam', and lots of packages that are used by semgrep-core and installed in -# the 'make install-deps' command further below. -# See https://github.com/returntocorp/ocaml-layer/blob/master/configs/alpine.sh -# for this list of packages. -# Thanks to this container, 'make install-deps' finishes very quickly because it's -# mostly a noop. Alternative base container candidates are: -# -# - 'ocaml/opam:alpine', the official OCaml/opam Docker image, -# but building our Docker image would take longer because -# of all the necessary Semgrep dependencies installed in 'make install-deps'. -# -# We build a new Semgrep Docker image on each pull-request (PR) so we don't -# want to wait 30min each time just for 'docker build' to finish. -# -# Note also that ocaml/opam:alpine default user is 'opam', not 'root', which -# is not without problems when used inside Github actions (GHA) or even inside -# this Dockerfile. -# -# - 'alpine', the official Alpine Docker image, but this would require some -# extra 'apk' commands to install opam, and extra commands to setup OCaml -# with this opam from scratch, and more importantly this would take -# far more time to finish. Moreover, it is not trivial to work from such -# a base container as 'opam' itself requires lots of extra -# tools like gcc, make, which are not provided by default on Alpine. -# -# An alternative to ocaml-layer would be to use https://depot.dev/ -# -# Note that the Docker base image below currently uses OCaml 4.14.0 -# coupling: if you modify the OCaml version there, you probably also need -# to modify: -# - scripts/{osx-setup-for-release,setup-m1-builder}.sh -# - doc/SEMGREP_CORE_CONTRIBUTING.md -# - https://github.com/Homebrew/homebrew-core/blob/master/Formula/semgrep.rb -# -# coupling: if you modify the FROM below, you probably need to modify also -# a few .github/workflows/ files. grep for returntocorp/ocaml there. - -FROM returntocorp/ocaml:alpine as build-semgrep-core - -ARG SEMGREP_VERSION=v1.75.0 - -WORKDIR /src - -RUN apk add --no-cache git make - -RUN git clone --recurse-submodules --branch ${SEMGREP_VERSION} --depth=1 --single-branch https://github.com/semgrep/semgrep /src/semgrep - -WORKDIR /src/semgrep - -RUN make install-deps-ALPINE-for-semgrep-core &&\ - make install-deps-for-semgrep-core - -COPY Makefile.semgrep . - -# Let's build just semgrep-core -# Note: I'm not sure that using dune --release actually makes an appreciable difference -# The binary is the same size, and I haven't tested the result when building without --release -RUN eval "$(opam env)" &&\ - make -f Makefile.semgrep release-build &&\ - # Sanity check - /src/semgrep/_build/default/src/main/Main.exe -version +FROM semgrep/semgrep:$SEMGREP_VERSION as semgrep FROM alpine:3.20 @@ -147,7 +86,7 @@ LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/CMS-E LABEL io.artifacthub.package.license="Apache-2.0" COPY --from=build-just /usr/local/cargo/bin/just /usr/local/bin/just -COPY --from=build-semgrep-core /src/semgrep/_build/default/src/main/Main.exe /usr/local/bin/osemgrep +COPY --from=semgrep /usr/local/bin/semgrep-core /usr/local/bin/osemgrep COPY --from=build /usr/local/bin/grype /usr/local/bin/grype COPY --from=build /usr/local/bin/syft /usr/local/bin/syft