From 2f0dc91e1870496d7ee9d1bd5c1bc2f6106bc72d Mon Sep 17 00:00:00 2001
From: Windz <WindzCUHK@users.noreply.github.com>
Date: Fri, 16 Sep 2022 11:01:56 +0900
Subject: [PATCH 1/2] Update Dockerfile

Signed-off-by: wfan <wfan@yahoo-corp.jp>
---
 Dockerfile | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index f2730da..a8d4593 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:1.19-alpine AS base
 
 RUN set -eux \
     && apk --no-cache add ca-certificates \
-    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git
+    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git libcap
 
 WORKDIR ${GOPATH}/src/github.com/AthenZ/authorization-proxy
 
@@ -31,6 +31,9 @@ RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \
     GO111MODULE=on \
     go build -ldflags "-X 'main.Version=${VERSION} at ${BUILD_TIME} by ${GO_VERSION}' -linkmode=external" -a -o "/usr/bin/${APP_NAME}"
 
+# allow well-known port binding
+RUN setcap 'cap_net_bind_service=+ep' "/usr/bin/${APP_NAME}"
+
 # confirm dependency libraries & cleanup
 RUN ldd "/usr/bin/${APP_NAME}"\
     && apk del build-dependencies --purge \
@@ -52,6 +55,7 @@ COPY --from=builder /usr/bin/${APP_NAME} /go/bin/${APP_NAME}
 COPY --from=builder /lib/ld-musl-x86_64.so* /lib/
 # Copy user
 COPY --from=builder /etc/passwd /etc/passwd
+USER ${APP_NAME}
 
 HEALTHCHECK NONE
 ENTRYPOINT ["/go/bin/authorization-proxy"]

From 93d6f3015e26a8a936068b2092123969d7a442d9 Mon Sep 17 00:00:00 2001
From: wfan <wfan@yahoo-corp.jp>
Date: Tue, 20 Dec 2022 17:16:32 +0900
Subject: [PATCH 2/2] update github action

Signed-off-by: wfan <wfan@yahoo-corp.jp>
---
 .github/workflows/docker-build-publish.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml
index e038f10..f227829 100644
--- a/.github/workflows/docker-build-publish.yaml
+++ b/.github/workflows/docker-build-publish.yaml
@@ -130,7 +130,6 @@ jobs:
 
       # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10)
       # https://github.com/sysdiglabs/benchmark-dockerfile
-      # TODO: Skipping CIS 4.1 check until https://github.com/yahoojapan/authorization-proxy/pull/95 is fixed.
       -
         name: Post Sysdig Benchmark Dockerfile
         id: postsysdig
@@ -138,7 +137,7 @@ jobs:
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
             jq -r .
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
-            jq -r '.cis_docker_benchmark_violation_report[] | select(.rule!="CIS 4.1 Create a user for the container") | .violations[]' | \
+            jq -r '.cis_docker_benchmark_violation_report[] | select(true) | .violations[]' | \
             wc -l | \
             xargs -I% test 0 -eq %