From 0ed15900f180692fd266fe8c8cc301176523f03b Mon Sep 17 00:00:00 2001
From: wfan <wfan@yahoo-corp.jp>
Date: Wed, 19 Apr 2023 18:13:30 +0900
Subject: [PATCH] test setcap

Signed-off-by: wfan <wfan@yahoo-corp.jp>
---
 .github/workflows/docker-build-publish.yaml | 2 +-
 Dockerfile                                  | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml
index 1bd75dd..50e2366 100644
--- a/.github/workflows/docker-build-publish.yaml
+++ b/.github/workflows/docker-build-publish.yaml
@@ -137,7 +137,7 @@ jobs:
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
             jq -r .
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
-            jq -r .cis_docker_benchmark_violation_report[].violations[] | \
+            jq -r '.cis_docker_benchmark_violation_report[] | select(true) | .violations[]' | \
             wc -l | \
             xargs -I% test 0 -eq %
 
diff --git a/Dockerfile b/Dockerfile
index 7850e30..e712844 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:1.20-alpine AS base
 
 RUN set -eux \
     && apk --no-cache add ca-certificates \
-    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git
+    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git libcap
 
 WORKDIR ${GOPATH}/src/github.com/AthenZ/garm
 
@@ -32,6 +32,9 @@ RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \
     go build -ldflags "-s -w -linkmode 'external' -extldflags '-static -fPIC -m64 -pthread -std=c++11 -lstdc++' -X 'main.Version=${APP_VERSION} at ${BUILD_TIME} by ${GO_VERSION}'" -a -tags "cgo netgo" -installsuffix "cgo netgo" -o "${APP_NAME}" \
     && mv "${APP_NAME}" "/usr/bin/${APP_NAME}"
 
+# allow well-known port binding
+RUN setcap 'cap_net_bind_service=+ep' "/usr/bin/${APP_NAME}"
+
 RUN apk del build-dependencies --purge \
     && rm -rf "${GOPATH}"
 
@@ -50,7 +53,7 @@ COPY --from=builder /etc/passwd /etc/passwd
 COPY --from=builder /usr/bin/${APP_NAME} /go/bin/${APP_NAME}
 # Copy user
 COPY --from=builder /etc/passwd /etc/passwd
-# USER ${APP_NAME}
+USER ${APP_NAME}
 
 HEALTHCHECK NONE
 ENTRYPOINT ["/go/bin/garm"]