Skip to content

Commit

Permalink
additional fixes to make .portage.yml the recommended way to configur…
Browse files Browse the repository at this point in the history 
…e portage.
  • Loading branch information
@ayee808
ayee808 committed Dec 7, 2024
1 parent 8acbcf4 commit 54444ee
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 12 deletions.
19 changes: 12 additions & 7 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,8 +122,11 @@ LABEL io.artifacthub.package.license="Apache-2.0"

FROM portage-base AS portage-podman

# Install podman CLIs
RUN apk update && apk add --no-cache podman fuse-overlayfs
USER root
# Update repositories and install packages
RUN apk add --no-cache --update-cache \
podman \
fuse-overlayfs

COPY docker/storage.conf /etc/containers/
COPY docker/containers.conf /etc/containers/
Expand All @@ -134,15 +137,17 @@ RUN addgroup -S podman && adduser -S podman -G podman && \

COPY docker/rootless-containers.conf /home/podman/.config/containers/containers.conf

RUN mkdir -p /home/podman/.local/share/containers
RUN chown podman:podman -R /home/podman
RUN mkdir -p /home/podman/.local/share/containers && \
chown podman:podman -R /home/podman && \
mkdir -p /var/lib/clamav && \
chown podman /var/lib/clamav && \
chown podman /etc/clamav && \
chmod g+w /var/lib/clamav

VOLUME /var/lib/containers
VOLUME /home/podman/.local/share/containers

RUN mkdir -p /var/lib/clamav
RUN chown podman /var/lib/clamav && chown podman /etc/clamav
RUN chmod g+w /var/lib/clamav
USER podman

LABEL org.opencontainers.image.title="portage-podman"

Expand Down
24 changes: 20 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,16 +52,18 @@ go build -ldflags="-X 'main.cliVersion=$(git describe --tags)' -X 'main.gitCommi
```


## Running A Pipeline
## Getting Details of the Portage Pipeline Tooling

You can run the executable directory
To view tooling details, run the following command:

```bash
portage run debug
```

## Configuring a Pipeline

Portage uses a number of configuration sources to determine the behavior of the pipeline. The order of precedence is as follows:

Configuration Options:

- Configuration via CLI flags
Expand All @@ -77,6 +79,12 @@ Configuration Order-of-Precedence:
3. Config File Value
4. Default Value

The recommended way to configure portage is to create a `.portage.yml` file in the root of your project. To generate a sample configuration file, run the following command:

```bash
portage config init .portage.yml
```

Note: `(none)` means unset, left blank

| Config Key | Environment Variable | Default Value | Description |
Expand All @@ -87,8 +95,8 @@ Note: `(none)` means unset, left blank
| codescan.semgrepfilename | PORTAGE_CODE_SCAN_SEMGREP_FILENAME | semgrep-sast-report.json | The filename for the semgrep SAST report - must contain 'semgrep' |
| codescan.semgreprules | PORTAGE_CODE_SCAN_SEMGREP_RULES | p/default | Semgrep ruleset manual override |
| codescan.semgrepexperimental | PORTAGE_CODE_SCAN_SEMGREP_EXPERIMENTAL | false | Enable the use of the semgrep experimental CLI |
| deploy.enabled | PORTAGE_IMAGE_PUBLISH_ENABLED | 1 | Enable/Disable the deploy pipeline |
| deploy.gatecheckconfigfilename | PORTAGE_DEPLOY_GATECHECK_CONFIG_FILENAME | - | The filename for the gatecheck config |
| deploy.enabled | PORTAGE_IMAGE_PUBLISH_ENABLED | 1 | Enable/Disable the publishing to a registry pipeline |
| deploy.gatecheckconfigfilename | PORTAGE_DEPLOY_GATECHECK_CONFIG_FILENAME | .gatecheck.yml | The filename for the gatecheck config |
| gatecheckbundlefilename | PORTAGE_GATECHECK_BUNDLE_FILENAME | artifacts/gatecheck-bundle.tar.gz | The filename for the gatecheck bundle, a validatable archive of security artifacts |
| imagebuild.args | PORTAGE_IMAGE_BUILD_ARGS | - | Comma seperated list of build time variables |
| imagebuild.builddir | PORTAGE_IMAGE_BUILD_DIR | . | The build directory to using during an image build |
Expand All @@ -107,6 +115,14 @@ Note: `(none)` means unset, left blank
| imagescan.grypefilename | PORTAGE_IMAGE_SCAN_GRYPE_FILENAME | grype-vulnerability-report-full.json | The filename for the grype vulnerability report - must contain 'grype' |
| imagescan.syftfilename | PORTAGE_IMAGE_SCAN_SYFT_FILENAME | syft-sbom-report.json | The filename for the syft SBOM report - must contain 'syft' |

The portage pipeline is broken into a number of stages. Below are the stages and their purpose:

- `code-scan`: Scans the application code for secrets
- `image-build`: Builds the application image
- `image-scan`: Scans the application image for vulnerabilities
- `image-publish`: Publishes the application image to a registry

Note you cannot run image scan or publish without running the image build stage.

## Running in Docker

Expand Down
3 changes: 2 additions & 1 deletion cmd/portage/cli/v0/root.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ var (
)

func NewPortageCommand() *cobra.Command {
viper.SetConfigName("portage")
viper.SetConfigName(".portage")
viper.SetConfigType("yml")
viper.AddConfigPath(".")
pipelines.BindViper(viper.GetViper())

Expand Down
1 change: 1 addition & 0 deletions pkg/pipelines/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,7 @@ type defaultValues struct {

// Add this after type definitions but before metaConfig
var defaults = map[string]defaultValues{
"config": {value: ".portage.yml", configPath: ""},
"imagetag": {value: "my-app:latest", configPath: "ImageTag"},
"artifactdir": {value: "artifacts", configPath: "ArtifactDir"},
"gatecheckbundlefilename": {value: "gatecheck-bundle.tar.gz", configPath: "GatecheckBundleFilename"},
Expand Down

0 comments on commit 54444ee

Please sign in to comment.