feat(osv): container image + reusable image test harness (#596)#604
Open
TomHennen wants to merge 2 commits into
Open
feat(osv): container image + reusable image test harness (#596)#604TomHennen wants to merge 2 commits into
TomHennen wants to merge 2 commits into
Conversation
First slice of the tool-containerization work. Adds: - tools/osv/Dockerfile — builds osv-scanner from the pinned tools/go.mod (manifest-preserving; not a git-rebuild) and reuses the existing tools/osv/adapter.sh + render_md.sh as the contract entrypoint, so a containerized run produces byte-identical output to today's adapter. Validated locally: clean source -> exit 0 + empty SARIF; vulnerable go.mod -> exit 1 + findings + the osv markdown summary; runs under an arbitrary -u UID (HOME=/tmp). - test/lib/image_test_harness.bash — reusable helpers to run any tool image under the contract sandbox (read-only src, /output-only, arbitrary UID) and assert exit code + SARIF validity + write confinement. - test/fixtures/image-contract/ — a mock conforming image driving each contract path (clean/findings/error/malformed) so the harness self-validates. - test/image/test_image_harness.bats — the harness self-test. Lives outside the Makefile unit glob (needs docker); the dogfooded shell build auto-detects it. Draft: the publish wiring and the (heavier) osv image test depend on two owner decisions noted in the PR description. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
TomHennen
had a problem deploying
to
integration-test
GitHub Actions
Error
wrangle-shell-lint requires 'set -euo pipefail' as the first substantive line, which needs bash; switch the mock entrypoint to #!/bin/bash and its base from alpine to debian-slim (bash available). Harness self-test stays 5/5 green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
TomHennen
had a problem deploying
to
integration-test
GitHub Actions
Failure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
First implementation slice of #596 (depends on the design in #603). Containerizes osv and lands a reusable image test harness. Ready for review — what is here is validated + green; the two decisions below gate the next steps (publish + PR2), not this PR.
Validated locally (evidence)
The key de-risking result: the image reuses the existing
tools/osv/adapter.sh+render_md.sh+lib/sanitize.shverbatim as its entrypoint, so a containerized run is byte-identical to today's adapter — no new adapter logic.The harness self-test is 5/5 green, and
shellcheck+wrangle-shell-lintpass.In this PR
tools/osv/Dockerfile— multi-stage: builds osv-scanner from the pinnedtools/go.mod(manifest-preserving — keeps Dependabot/osv/govulncheck visibility; not a git-clone-rebuild), then runs the existing adapter as the contract entrypoint on a digest-pinned distroless-ish base.test/lib/image_test_harness.bash— reusable: run any tool image under the contract sandbox (--network,-u,/src:ro,/output) and assert exit code + SARIF validity + write confinement.test/fixtures/image-contract/— a mock conforming image driving each contract path so the harness self-validates (a mock is justified here: a real tool can't emit a controlled exit-2 / malformed SARIF on demand).test/image/test_image_harness.bats— the harness self-test. Placed outside the Makefile's unitbatsglob (it needs docker, absent in the unit test container); the dogfooded shell build auto-detects it on a docker-capable runner.Open decisions for your review
Publish wiring.
build_and_publish_containersetscontext: {{defaultContext}}:<path>, i.e. the build context is the path subdir. A wrangle tool image's build needs repo-root files (tools/go.mod,lib/sanitize.sh), which a subdir context can't reach. Options: (a) add acontext/dockerfileinput tobuild/actions/containerso the Dockerfile and context can differ (touches the L3 build path — your call), or (b) a dedicated tool-image build workflow. I did not change the L3 path unsupervised.Where/how tool-image tests build + run in CI. The osv image test builds osv-from-source (~GB of modules) — heavy enough that running it inside the shell build's every-
.batspass risks disk/time blowups (it filled my local disk). The lightweight harness self-test runs green now; the osv image test is written and locally validated but held pending an image build/cache strategy for CI (e.g. build-and-cache the image once, then point tests at the tag).Follow-ups
docker runseam) is stacked on this and bootstrap-blocked until the osv image is actually published (decision 1).tools/osv/test_image.bats) is ready to add once decision 2 lands.🤖 Generated with Claude Code