From f13ad168902e92b22cddbb7881117fb5e9e0bda2 Mon Sep 17 00:00:00 2001 From: Douglas Coburn Date: Sun, 22 Mar 2026 15:59:05 -0700 Subject: [PATCH 1/2] fix: remove trivy from Docker build while assessing compromise impact --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1ba2b5e..ff11d58 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ ARG UV_VERSION=0.10.11 ARG OPENGREP_VERSION=v1.16.5 # ─── Stage: trivy (Dependabot-trackable) ────────────────────────────────────── -FROM aquasec/trivy:${TRIVY_VERSION} AS trivy +# FROM aquasec/trivy:${TRIVY_VERSION} AS trivy # ─── Stage: trufflehog (Dependabot-trackable) ───────────────────────────────── FROM trufflesecurity/trufflehog:${TRUFFLEHOG_VERSION} AS trufflehog @@ -42,7 +42,7 @@ WORKDIR /socket-basics COPY --from=uv /uv /uvx /bin/ # Binary tools from immutable build stages -COPY --from=trivy /usr/local/bin/trivy /usr/local/bin/trivy +# COPY --from=trivy /usr/local/bin/trivy /usr/local/bin/trivy COPY --from=trufflehog /usr/bin/trufflehog /usr/local/bin/trufflehog COPY --from=opengrep-installer /root/.opengrep /root/.opengrep @@ -84,4 +84,4 @@ LABEL org.opencontainers.image.title="Socket Basics" \ ENV PATH="/socket-basics/.venv/bin:/root/.opengrep/cli/latest:/usr/local/bin:$PATH" -ENTRYPOINT ["socket-basics"] +ENTRYPOINT ["socket-basics"] \ No newline at end of file From f87dcd7a006211c3cc398cefb54a51b6b9c1431b Mon Sep 17 00:00:00 2001 From: Douglas Coburn Date: Sun, 22 Mar 2026 16:08:59 -0700 Subject: [PATCH 2/2] fix: smoke test passes only when trivy is not available (temporary removal assessment) --- scripts/smoke-test-docker.sh | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/scripts/smoke-test-docker.sh b/scripts/smoke-test-docker.sh index 2d5b0c3..2962951 100644 --- a/scripts/smoke-test-docker.sh +++ b/scripts/smoke-test-docker.sh @@ -13,18 +13,22 @@ BUILD_PROGRESS="${SMOKE_TEST_BUILD_PROGRESS:-}" MAIN_TOOLS=( "socket-basics -h" "command -v socket" - "trivy --version" "trufflehog --version" "opengrep --version" ) APP_TESTS_TOOLS=( - "trivy --version" "trufflehog --version" "opengrep --version" "command -v socket" ) +# TEMPORARY: trivy is being removed to assess impact. These checks FAIL if the +# tool is still present in the image — ensures removal is complete. +MUST_NOT_EXIST_TOOLS=( + "trivy" +) + usage() { echo "Usage: $0 [--image-tag TAG] [--app-tests] [--skip-build] [--check-set main|app-tests] [--build-progress MODE]" echo " --skip-build: skip docker build; verify tools in a pre-built image" @@ -104,6 +108,22 @@ run_checks() { done } +# TEMPORARY: verify tools have been fully removed from the image. +# Fails if any tool in the list is still present. +run_must_not_exist_checks() { + local tag="$1" + shift + local tools=("$@") + for tool in "${tools[@]}"; do + if docker run --rm --entrypoint /bin/sh "$tag" -c "command -v $tool" > /dev/null 2>&1; then + echo " FAIL: $tool is still present in the image (expected removal)" + return 1 + else + echo " OK: $tool not found (removal confirmed)" + fi + done +} + cd "$REPO_ROOT" if $SKIP_BUILD; then @@ -116,6 +136,7 @@ if $SKIP_BUILD; then else run_checks "$IMAGE_TAG" "${MAIN_TOOLS[@]}" fi + run_must_not_exist_checks "$IMAGE_TAG" "${MUST_NOT_EXIST_TOOLS[@]}" else # ── Normal mode: build then verify ──────────────────────────────────────── echo "==> Build main image" @@ -129,6 +150,7 @@ else echo "==> Verify tools in main image" run_checks "$IMAGE_TAG" "${MAIN_TOOLS[@]}" + run_must_not_exist_checks "$IMAGE_TAG" "${MUST_NOT_EXIST_TOOLS[@]}" if $RUN_APP_TESTS; then echo "==> Build app_tests image" @@ -141,6 +163,7 @@ else echo "==> Verify tools in app_tests image" run_checks "$APP_TESTS_IMAGE_TAG" "${APP_TESTS_TOOLS[@]}" + run_must_not_exist_checks "$APP_TESTS_IMAGE_TAG" "${MUST_NOT_EXIST_TOOLS[@]}" fi fi