govulncheck to report known vulnerabilities

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2025-07-10 05:27:07 +08:00 · 2024-07-24 14:01:50 +02:00
parent d130f8ef0a
commit 386d599309
3 changed files with 68 additions and 0 deletions
--- a/hack/dockerfiles/govulncheck.Dockerfile
+++ b/hack/dockerfiles/govulncheck.Dockerfile
@ -0,0 +1,23 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.22"
+ARG GOVULNCHECK_VERSION="v1.1.3"
+ARG FORMAT="text"
+
+FROM golang:${GO_VERSION}-alpine AS base
+WORKDIR /go/src/github.com/docker/buildx
+ARG GOVULNCHECK_VERSION
+RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod \
+    go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION
+
+FROM base AS run
+ARG FORMAT
+RUN --mount=type=bind,target=. <<EOT
+  set -ex
+  mkdir /out
+  govulncheck -format ${FORMAT} ./... | tee /out/govulncheck.out
+EOT
+
+FROM scratch AS output
+COPY --from=run /out /