First run (CI on your laptop)
Windows (PowerShell)
what you should see
docker build -t ship-securely/app:dev app
[+] Building 1.2s (14/14) FINISHED docker:desktop-linux
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 645B 0.0s
=> [internal] load metadata for docker.io/library/golang:1.22-alpine 0.4s
=> [internal] load metadata for docker.io/library/alpine:3.20 0.4s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [build 1/4] FROM docker.io/library/golang:1.22-alpine@sha256:1699c10032ca2582ec89a24a1312d986a3f094aed3d5c1147b19880afe40e052 0.0s
=> [stage-1 1/4] FROM docker.io/library/alpine:3.20@sha256:765942a4039992336de8dd5db680586e1a206607dd06170ff0a37267a9e01958 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 2.02kB 0.0s
=> CACHED [build 2/4] WORKDIR /src 0.0s
=> [build 3/4] COPY . . 0.0s
=> [build 4/4] RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build - 0.7s
=> CACHED [stage-1 2/4] RUN adduser -D -u 10001 appuser 0.0s
=> CACHED [stage-1 3/4] WORKDIR /home/appuser 0.0s
=> [stage-1 4/4] COPY --from=build /out/server /usr/local/bin/server 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:f72451a65103493a2c99c0b63a3768c21af2fdd1c5679e69b96d8878fc18d3fb 0.0s
=> => naming to docker.io/ship-securely/app:dev 0.0s
View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/t419rs4ety3zd51i77w098cc0
What's next:
View a summary of image vulnerabilities and recommendations → docker scout quickview
== Hadolint (Dockerfile) ==
docker run --rm -i hadolint/hadolint < app/Dockerfile > artifacts/hadolint.txt || true
== Semgrep (SAST) ==
docker run --rm -v /Users/t/go/src/ship-securely-starter:/src returntocorp/semgrep semgrep --config p/owasp-top-ten --sarif --output /src/artifacts/semgrep.sarif /src/app || true
┌─────────────┐
│ Scan Status │
└─────────────┘
Scanning 3 files tracked by git with 542 Code rules:
Language Rules Files Origin Rules
───────────────────────────── ───────────────────
<multilang> 5 3 Community 542
go 38 1
dockerfile 4 1
┌──────────────┐
│ Scan Summary │
└──────────────┘
✅ Scan completed successfully.
• Findings: 1 (1 blocking)
• Rules run: 47
• Targets scanned: 3
• Parsed lines: ~100.0%
• No ignore information available
Ran 47 rules on 3 files: 1 finding.
== Gitleaks (secrets) ==
docker run --rm -v /Users/t/go/src/ship-securely-starter:/work zricethezav/gitleaks:latest detect -s /work -r artifacts/gitleaks.json --no-banner || true
4:09PM FTL Report path is not writable: artifacts/gitleaks.json error="open artifacts/gitleaks.json: no such file or directory"
== Checkov (IaC) ==
docker run --rm -v /Users/t/go/src/ship-securely-starter:/work bridgecrew/checkov -d /work/infra --output-file-path artifacts/checkov.json || true
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By Prisma Cloud | version: 3.2.476
Update available 3.2.476 -> 3.2.477
Run pip3 install -U checkov to update
kubernetes scan results:
Passed checks: 83, Failed checks: 7, Skipped checks: 0
Check: CKV_K8S_75: "Ensure that the --authorization-mode argument includes Node"
PASSED for resource: Deployment.default.app
File: /k8s/deployment.yaml:1-48
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-includes-node
Check: CKV_K8S_70: "Ensure that the --token-auth-file argument is not set"
PASSED for resource: Deployment.default.app
File: /k8s/deployment.yaml:1-48
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-token-auth-file-parameter-is-not-set