Update descriptors for authenticating Github API calls

.automation/build.py

@@ -306,12 +306,28 @@ def build_dockerfile(
                     docker_copy += [dockerfile_item]
                     docker_other += ["# Managed with " + dockerfile_item]
                 # Already used item
-                elif dockerfile_item in all_dockerfile_items:
+                elif (
+                    dockerfile_item in all_dockerfile_items
+                    or dockerfile_item.replace(
+                        "RUN ", "RUN --mount=type=secret,id=GITHUB_TOKEN "
+                    )
+                    in all_dockerfile_items
+                ):
                     dockerfile_item = (
                         "# Next line commented because already managed by another linter\n"
                         "# " + "\n# ".join(dockerfile_item.splitlines())
                     )
                     docker_other += [dockerfile_item]
+                # RUN (standalone with GITHUB_TOKEN)
+                elif (
+                    dockerfile_item.startswith("RUN")
+                    and "GITHUB_TOKEN" in dockerfile_item
+                ):
+                    dockerfile_item_cmd = dockerfile_item.replace(
+                        "RUN ", "RUN --mount=type=secret,id=GITHUB_TOKEN "
+                    )
+                    docker_other += [dockerfile_item_cmd]
+                    is_docker_other_run = False
                 # RUN (start)
                 elif dockerfile_item.startswith("RUN") and is_docker_other_run is False:
                     docker_other += [dockerfile_item]

.trivyignore

@@ -160,3 +160,4 @@ DS013
 DS014
 DS026
 GHSA-5crp-9r3c-p9vr
+GHSA-8x6c-cv3v-vp6g

CHANGELOG.md

@@ -10,7 +10,10 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
 
 - Core
   - Upgrade base docker image from python:3.10.4-alpine3.16 to python:3.11.1-alpine3.17
+
+- CI
   - Use docker/build-push-action to build docker images and akhilerm/tag-push-action to release by retagging and pushing beta images instead of rebuilding them
+  - Authenticate to GitHub API during docker build to avoid reaching limits
 
 - Linter versions upgrades
   - [golangci-lint](https://golangci-lint.run/) from 1.51.0 to **1.51.1** on 2023-02-06

Dockerfile

@@ -26,8 +26,8 @@ FROM checkmarx/kics:alpine as kics
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -299,19 +299,23 @@ COPY --from=kics /app/bin/assets /opt/kics/assets/
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
 #OTHER__START
-RUN rc-update add docker boot && rc-service docker start || true \
+RUN rc-update add docker boot && rc-service docker start || true
 # ARM installation
-    && mkdir -p ${PWSH_DIRECTORY} \
-    && curl --retry 5 --retry-delay 5 -s https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
+    && curl --retry 5 --retry-delay 5 -s \
+       -H "Accept: application/vnd.github+json" \
+       -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
+       https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
         | grep browser_download_url \
         | grep linux-alpine-x64 \
         | cut -d '"' -f 4 \
         | xargs -n 1 wget -O - \
         | tar -xzC ${PWSH_DIRECTORY} \
-    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh \
+    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh
+
 
 # CSHARP installation
-    && wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
+RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
     && chmod +x dotnet-install.sh \
     && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
 
@@ -338,22 +342,26 @@ RUN wget --tries=5 -q -O phive.phar https://phar.io/releases/phive.phar \
 ENV PATH="/root/.composer/vendor/bin:$PATH"
 
 # POWERSHELL installation
-RUN mkdir -p ${PWSH_DIRECTORY} \
-    && curl --retry 5 --retry-delay 5 -s https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
+    && curl --retry 5 --retry-delay 5 -s \
+       -H "Accept: application/vnd.github+json" \
+       -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
+       https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
         | grep browser_download_url \
         | grep linux-alpine-x64 \
         | cut -d '"' -f 4 \
         | xargs -n 1 wget -O - \
         | tar -xzC ${PWSH_DIRECTORY} \
     && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh \
-    && chmod +x /usr/bin/pwsh \
+    && chmod +x /usr/bin/pwsh
+
 
 # SALESFORCE installation
 # Next line commented because already managed by another linter
 # ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk
 # Next line commented because already managed by another linter
 # ENV PATH="$JAVA_HOME/bin:${PATH}"
-    && echo y|sfdx plugins:install sfdx-hardis \
+RUN echo y|sfdx plugins:install sfdx-hardis \
     && npm cache clean --force || true \
     && rm -rf /root/.npm/_cacache \
 
@@ -430,18 +438,22 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \
     && golangci-lint --version \
 
 # revive installation
-    && go install github.com/mgechev/revive@latest && go clean --cache \
+    && go install github.com/mgechev/revive@latest && go clean --cache
 
 # checkstyle installation
-    && CHECKSTYLE_LATEST=$(curl -s https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
+RUN --mount=type=secret,id=GITHUB_TOKEN CHECKSTYLE_LATEST=$(curl -s \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
+    https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
         | grep browser_download_url \
         | grep ".jar" \
         | cut -d '"' -f 4) \
     && curl --retry 5 --retry-delay 5 -sSL $CHECKSTYLE_LATEST \
-        --output /usr/bin/checkstyle \
+        --output /usr/bin/checkstyle
+
 
 # pmd installation
-    && wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
+RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
     unzip pmd-bin-${PMD_VERSION}.zip && \
     rm pmd-bin-${PMD_VERSION}.zip && \
     mv pmd-bin-${PMD_VERSION} /usr/bin/pmd && \

Dockerfile-quick

@@ -7,6 +7,7 @@
 ##################
 # Get base image #
 ##################
+ARG GITHUB_TOKEN
 ARG MEGALINTER_BASE_IMAGE=oxsecurity/megalinter:beta
 FROM $MEGALINTER_BASE_IMAGE
 

flavors/ci_light/Dockerfile

@@ -19,8 +19,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/cupcake/Dockerfile

@@ -25,8 +25,8 @@ FROM checkmarx/kics:alpine as kics
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -315,18 +315,22 @@ RUN go install github.com/rhysd/actionlint/cmd/actionlint@latest && go clean --c
     && golangci-lint --version \
 
 # revive installation
-    && go install github.com/mgechev/revive@latest && go clean --cache \
+    && go install github.com/mgechev/revive@latest && go clean --cache
 
 # checkstyle installation
-    && CHECKSTYLE_LATEST=$(curl -s https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
+RUN --mount=type=secret,id=GITHUB_TOKEN CHECKSTYLE_LATEST=$(curl -s \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
+    https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
         | grep browser_download_url \
         | grep ".jar" \
         | cut -d '"' -f 4) \
     && curl --retry 5 --retry-delay 5 -sSL $CHECKSTYLE_LATEST \
-        --output /usr/bin/checkstyle \
+        --output /usr/bin/checkstyle
+
 
 # pmd installation
-    && wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
+RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
     unzip pmd-bin-${PMD_VERSION}.zip && \
     rm pmd-bin-${PMD_VERSION}.zip && \
     mv pmd-bin-${PMD_VERSION} /usr/bin/pmd && \

flavors/documentation/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/dotnet/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -223,25 +223,32 @@ COPY --from=gitleaks /usr/bin/gitleaks /usr/bin/
 #############################################################################################
 #OTHER__START
 # ARM installation
-RUN mkdir -p ${PWSH_DIRECTORY} \
-    && curl --retry 5 --retry-delay 5 -s https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
+    && curl --retry 5 --retry-delay 5 -s \
+       -H "Accept: application/vnd.github+json" \
+       -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
+       https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
         | grep browser_download_url \
         | grep linux-alpine-x64 \
         | cut -d '"' -f 4 \
         | xargs -n 1 wget -O - \
         | tar -xzC ${PWSH_DIRECTORY} \
-    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh \
+    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh
+
 
 # CSHARP installation
-    && wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
+RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
     && chmod +x dotnet-install.sh \
     && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
 
 ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
 
 # POWERSHELL installation
-RUN mkdir -p ${PWSH_DIRECTORY} \
-    && curl --retry 5 --retry-delay 5 -s https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
+    && curl --retry 5 --retry-delay 5 -s \
+       -H "Accept: application/vnd.github+json" \
+       -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
+       https://api.github.com/repos/powershell/powershell/releases/${PWSH_VERSION} \
         | grep browser_download_url \
         | grep linux-alpine-x64 \
         | cut -d '"' -f 4 \

flavors/go/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/java/Dockerfile

@@ -22,8 +22,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -236,18 +236,22 @@ RUN go install github.com/rhysd/actionlint/cmd/actionlint@latest && go clean --c
 # Managed with COPY --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checker
 
 # dotenv-linter installation
-    && wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/master/install.sh | sh -s \
+    && wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/master/install.sh | sh -s
 
 # checkstyle installation
-    && CHECKSTYLE_LATEST=$(curl -s https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
+RUN --mount=type=secret,id=GITHUB_TOKEN CHECKSTYLE_LATEST=$(curl -s \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
+    https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
         | grep browser_download_url \
         | grep ".jar" \
         | cut -d '"' -f 4) \
     && curl --retry 5 --retry-delay 5 -sSL $CHECKSTYLE_LATEST \
-        --output /usr/bin/checkstyle \
+        --output /usr/bin/checkstyle
+
 
 # pmd installation
-    && wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
+RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
     unzip pmd-bin-${PMD_VERSION}.zip && \
     rm pmd-bin-${PMD_VERSION}.zip && \
     mv pmd-bin-${PMD_VERSION} /usr/bin/pmd && \

flavors/javascript/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/php/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/python/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/ruby/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/rust/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/salesforce/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/security/Dockerfile

@@ -22,8 +22,8 @@ FROM checkmarx/kics:alpine as kics
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/swift/Dockerfile

@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

flavors/terraform/Dockerfile

@@ -25,8 +25,8 @@ FROM checkmarx/kics:alpine as kics
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##