feat: Dockerfile hadolint scan

config.md

@@ -18,7 +18,8 @@
 | ENABLE_CHART_SEARCH_IN_HELM_DEPLOY                        | "true"                                   | Enable chart search in Helm deploy                                                                               |
 | ENABLE_EXTERNAL_ARGO_CD                                   | "true"                                   | Enable External Argo CD                                                                                          |
 | ENABLE_SCOPED_VARIABLES                                   | "false"                                  | For enabling scoped variable from UI, also need to enable it in backend.                                         |
-| FORCE_SECURITY_SCANNING                                   | "false"                                  | Force security scanning                                                                                          |
+| FORCE_SECURITY_SCANNING                                   | "false"                                  | Force security                                                                                                   |
+| scanning                                                  |                                          |
 | GA_ENABLED                                                | "true"                                   | Enable Google Analytics (GA)                                                                                     |
 | GA_TRACKING_ID                                            | G-XXXXXXXX                               | Google Analytics tracking ID                                                                                     |
 | GLOBAL_API_TIMEOUT                                        | 60000                                    | Default timeout for all API requests in DASHBOARD                                                                |

package.json

@@ -4,7 +4,7 @@
     "private": true,
     "homepage": "/dashboard",
     "dependencies": {
-        "@devtron-labs/devtron-fe-common-lib": "1.23.4-pre-1",
+        "@devtron-labs/devtron-fe-common-lib": "1.23.4-pre-2",
         "@esbuild-plugins/node-globals-polyfill": "0.2.3",
         "@sentry/browser": "7.119.1",
         "@sentry/integrations": "7.50.0",

src/Pages/App/Configurations/WorkflowEditor/CreateCICDPipeline/CreateCICDPipeline.tsx

@@ -30,6 +30,7 @@ import {
     ToastManager,
     ToastVariantType,
     useAsync,
+    useMainContext,
 } from '@devtron-labs/devtron-fe-common-lib'
 
 import { saveCIPipeline } from '@Components/ciPipeline/ciPipeline.service'
@@ -90,9 +91,11 @@ export const CreateCICDPipeline = ({
     // REFS
     const ciPipelineResRef = useRef<{ appWorkflowId: number; id: number } | null>(null)
 
+    const { forceDockerfileScan } = useMainContext()
+
     // ASYNC CALLS
     const [isCiCdPipelineLoading, ciCdPipelineRes, ciCdPipelineErr, reloadCiCdPipeline, setter] = useAsync(
-        () => getCICDPipelineInitData(appId, isTemplateView),
+        () => getCICDPipelineInitData(appId, isTemplateView, forceDockerfileScan),
         [open, isTemplateView],
         open,
     )

src/Pages/App/Configurations/WorkflowEditor/CreateCICDPipeline/service.ts

@@ -117,10 +117,10 @@ const getCDInitData = async (appId: string, isTemplateView: boolean): Promise<Cr
     }
 }
 
-const getCIInitData = async (appId: string, isTemplateView: boolean) => {
+const getCIInitData = async (appId: string, isTemplateView: boolean, forceDockerfileScan: boolean) => {
     const {
         result: { form, isBlobStorageConfigured, isSecurityModuleInstalled },
-    } = await getInitData(appId.toString(), true, false, isTemplateView)
+    } = await getInitData(appId.toString(), true, false, isTemplateView, forceDockerfileScan)
 
     return {
         ...form,
@@ -132,9 +132,13 @@ const getCIInitData = async (appId: string, isTemplateView: boolean) => {
 export const getCICDPipelineInitData = async (
     appId: string,
     isTemplateView: boolean,
+    forceDockerfileScan: boolean,
 ): Promise<CreateCICDPipelineData> => {
     try {
-        const [ci, cd] = await Promise.all([getCIInitData(appId, isTemplateView), getCDInitData(appId, isTemplateView)])
+        const [ci, cd] = await Promise.all([
+            getCIInitData(appId, isTemplateView, forceDockerfileScan),
+            getCDInitData(appId, isTemplateView),
+        ])
 
         return { ci, cd }
     } catch (err) {

src/components/CIPipelineN/Build.tsx

@@ -21,13 +21,14 @@ import {
     CiPipelineSourceTypeOption,
     CustomInput,
     SourceTypeMap,
+    Icon,
+    useMainContext,
 } from '@devtron-labs/devtron-fe-common-lib'
 import { ViewType } from '../../config'
 import { createWebhookConditionList } from '../ciPipeline/ciPipeline.service'
 import { SourceMaterials } from '../ciPipeline/SourceMaterials'
 import { ValidationRules } from '../ciPipeline/validationRules'
 import { BuildType, WebhookCIProps } from '../ciPipeline/types'
-import BugScanner from '../../assets/icons/scanner.svg?react'
 import AdvancedConfigOptions from './AdvancedConfigOptions'
 import { pipelineContext } from '../workflowEditor/workflowEditor'
 import { getSelectedWebhookEvent } from '@Pages/App/Configurations'
@@ -42,6 +43,8 @@ export const Build = ({
     appId,
     isTemplateView,
 }: BuildType) => {
+    const { isEnterprise, forceDockerfileScan } = useMainContext()
+
     const { formData, setFormData, formDataErrorObj, setFormDataErrorObj } = useContext(pipelineContext)
     const validationRules = new ValidationRules()
     const handleSourceChange = (event, gitMaterialId: number, sourceType: string): void => {
@@ -166,6 +169,12 @@ export const Build = ({
         setFormData(_formData)
     }
 
+    const handleDockerfileScanToggle = (): void => {
+        const _formData = { ...formData }
+        _formData.dockerfileScanEnabled = !_formData.dockerfileScanEnabled
+        setFormData(_formData)
+    }
+
     const renderBasicCI = () => {
         const _webhookData: WebhookCIProps = {
             webhookConditionList: formData.webhookConditionList,
@@ -206,53 +215,71 @@ export const Build = ({
 
     const renderPipelineName = () => {
         return (
-            <label className="form__row">
-                <CustomInput
-                    name="name"
-                    label="Pipeline Name"
-                    disabled={!!ciPipeline?.id}
-                    placeholder="e.g. my-first-pipeline"
-                    type="text"
-                    value={formData.name}
-                    onChange={handlePipelineName}
-                    required
-                    error={formDataErrorObj.name && !formDataErrorObj.name.isValid && formDataErrorObj.name.message}
-                />
-            </label>
+            <CustomInput
+                name="name"
+                label="Pipeline Name"
+                disabled={!!ciPipeline?.id}
+                placeholder="e.g. my-first-pipeline"
+                type="text"
+                value={formData.name}
+                onChange={handlePipelineName}
+                required
+                error={formDataErrorObj.name && !formDataErrorObj.name.isValid && formDataErrorObj.name.message}
+            />
         )
     }
 
     const renderScanner = () => (
-        <>
-            <hr />
-            <div>
-                <div
-                    className="en-2 bw-1 br-4 pt-12 pb-12 pl-16 pr-12"
-                    style={{ display: 'grid', gridTemplateColumns: '52px auto 32px' }}
-                >
-                    <BugScanner />
-                    <div>
-                        <p className="fs-13 lh-20 fw-6 cn-9 mb-4">Scan for vulnerabilities</p>
-                        <p className="fs-13 lh-18 mb-0 fs-12">Perform security scan after container image is built.</p>
-                    </div>
-                    <DTSwitch
-                        isDisabled={window._env_.FORCE_SECURITY_SCANNING && formData.scanEnabled}
-                        ariaLabel="Toggle scan for security vulnerabilities"
-                        isChecked={formData.scanEnabled}
-                        onChange={handleScanToggle}
-                        name="create-build-pipeline-scan-vulnerabilities-toggle"
-                    />
+        <div className="en-2 bw-1 br-4 p-16 flexbox-col dc__gap-16">
+            <div style={{ display: 'grid', gridTemplateColumns: '52px auto 32px' }}>
+                <div className="flex icon-dim-40 scan-icon-wrapper">
+                    <Icon name="ic-bg-scan" size={30} color={null} />
                 </div>
+                <div>
+                    <p className="fs-13 lh-20 fw-6 cn-9 mb-4">Scan for vulnerabilities</p>
+                    <p className="fs-13 lh-18 mb-0 fs-12">Perform security scan after container image is built.</p>
+                </div>
+                <DTSwitch
+                    isDisabled={window._env_.FORCE_SECURITY_SCANNING && formData.scanEnabled}
+                    ariaLabel="Toggle scan for security vulnerabilities"
+                    isChecked={formData.scanEnabled}
+                    onChange={handleScanToggle}
+                    name="create-build-pipeline-scan-vulnerabilities-toggle"
+                />
             </div>
-        </>
+            {isEnterprise && (
+                <>
+                    <div className="dc__border-bottom dc__secondary" />
+                    <div style={{ display: 'grid', gridTemplateColumns: '52px auto 32px' }}>
+                        <div className="icon-dim-40 scan-icon-wrapper flex">
+                            <Icon name="ic-bg-docker-scanner" size={30} color={null} />
+                        </div>
+                        <div>
+                            <p className="fs-13 lh-20 fw-6 cn-9 mb-4">Scan for recommendations</p>
+                            <p className="fs-13 lh-18 mb-0 fs-12">
+                                Perform linting scan of your docker file and get recommended optimizations.
+                            </p>
+                        </div>
+                        <DTSwitch
+                            isDisabled={forceDockerfileScan}
+                            ariaLabel="Toggle scan for security vulnerabilities"
+                            isChecked={!!forceDockerfileScan || !!formData.dockerfileScanEnabled }
+                            onChange={handleDockerfileScanToggle}
+                            name="create-build-pipeline-dockerfile-scan-toggle"
+                            tooltipContent={forceDockerfileScan ? 'Dockerfile scanning is enforced across all pipelines in the organization.' : null}
+                        />
+                    </div>
+                </>
+            )}
+        </div>
     )
 
     return pageState === ViewType.LOADING.toString() ? (
         <div style={{ minHeight: '200px' }} className="flex">
             <Progressing pageLoader />
         </div>
     ) : (
-        <div className="p-20 ci-scrollable-content">
+        <div className="p-20 ci-scrollable-content flexbox-col dc__gap-16">
             {renderBasicCI()}
             {!isJobView && isAdvanced && (
                 <>

src/components/CIPipelineN/CIPipeline.tsx

@@ -48,6 +48,7 @@
     GenericModal,
     Button,
     handleAnalyticsEvent,
+    useMainContext,
 } from '@devtron-labs/devtron-fe-common-lib'
 import Tippy from '@tippyjs/react'
 import {
@@ -121,12 +122,15 @@
     const [environments, setEnvironments] = useState<EnvironmentWithSelectPickerType[]>([])
     // NOTE: don't want to show the warning until fetch; therefore true by default
     const [isBlobStorageConfigured, setIsBlobStorageConfigured] = useState(true)
+
+    const { forceDockerfileScan } = useMainContext()
     const [formData, setFormData] = useState<PipelineFormType>({
         name: '',
         args: [],
         materials: [],
         triggerType: window._env_.DEFAULT_CI_TRIGGER_TYPE_MANUAL ? TriggerType.Manual : TriggerType.Auto,
         scanEnabled: false,
+        dockerfileScanEnabled: forceDockerfileScan || false,
         gitHost: undefined,
         webhookEvents: [],
         ciPipelineSourceTypeOptions: [],
@@ -467,7 +471,7 @@
                     setIsAdvanced(true)
                 }
             } else {
-                const ciPipelineResponse = await getInitData(appId, true, isJobCard, isTemplateView)
+                const ciPipelineResponse = await getInitData(appId, true, isJobCard, isTemplateView, forceDockerfileScan)
                 if (ciPipelineResponse) {
                     setFormData(ciPipelineResponse.result.form)
                     setSecurityModuleInstalled(ciPipelineResponse.result.isSecurityModuleInstalled)
@@ -615,7 +619,10 @@
         validateStage(BuildStageVariable.Build, formData)
         validateStage(BuildStageVariable.PostBuild, formData)
         const scanValidation =
-            isJobCard || !isSecurityModuleInstalled || formData.scanEnabled || !window._env_.FORCE_SECURITY_SCANNING
+            isJobCard ||
+            !isSecurityModuleInstalled ||
+            formData.scanEnabled ||
+            !window._env_.FORCE_SECURITY_SCANNING
         if (!scanValidation) {
             setApiInProgress(false)
             ToastManager.showToast({
@@ -678,6 +685,7 @@
                 ...formData,
                 materials: _materials,
                 scanEnabled: !isJobCard && isSecurityModuleInstalled ? formData.scanEnabled : false,
+                dockerfileScanEnabled: formData.dockerfileScanEnabled,
             },
             _ciPipeline,
             _materials,

src/components/app/details/appDetails/AppSecurity.tsx

@@ -14,9 +14,17 @@
  * limitations under the License.
  */
 
-import { getSecurityScan, useAsync } from '@devtron-labs/devtron-fe-common-lib'
+import { useEffect } from 'react'
 
-import { UseGetAppSecurityDetailsProps, UseGetAppSecurityDetailsReturnType } from './appDetails.type'
+import { getSecurityScan, getSecurityScanRecommendations, useAsync } from '@devtron-labs/devtron-fe-common-lib'
+
+import {
+    UseGetAppSecurityDetailsProps,
+    UseGetAppSecurityDetailsReturnType,
+    UseSecurityRecommendationReturnType,
+} from './appDetails.type'
+
+const SECURITY_SCAN_RECOMMENDATIONS_POLLING_INTERVAL = 5000
 
 export const useGetAppSecurityDetails = ({
     appId,
@@ -26,7 +34,7 @@
 }: UseGetAppSecurityDetailsProps): UseGetAppSecurityDetailsReturnType => {
     const [scanResultLoading, scanResultResponse, scanResultError, reloadScanResult] = useAsync(
         () => getSecurityScan({ appId, envId, artifactId, installedAppId }),
-        [appId, envId, installedAppId],
+        [appId, envId, artifactId, installedAppId],
         !!appId || !!installedAppId,
     )
 
@@ -37,3 +45,39 @@
         reloadScanResult,
     }
 }
+
+export const useGetAppSecurityDetailsRecommendations = ({
+    appId,
+    buildId,
+}: UseGetAppSecurityDetailsProps): UseSecurityRecommendationReturnType => {
+    const [
+        scanRecommendationsResultLoading,
+        scanRecommendationsResultResponse,
+        scanRecommendationsResultError,
+        reloadScanRecommendationsResult,
+    ] = useAsync(() => getSecurityScanRecommendations({ appId, buildId }), [appId, buildId], !!appId && !!buildId)
+
+    const recommendationStatus = scanRecommendationsResultResponse?.result?.status
+    const isDockerfileScanEnabled = scanRecommendationsResultResponse?.result?.scanEnabled
+
+    useEffect(() => {
+        if (!appId || !buildId || !isDockerfileScanEnabled || ![0, 1].includes(recommendationStatus)) {
+            return undefined
+        }
+
+        const timeoutId = window.setTimeout(() => {
+            reloadScanRecommendationsResult()
+        }, SECURITY_SCAN_RECOMMENDATIONS_POLLING_INTERVAL)
+
+        return () => {
+            window.clearTimeout(timeoutId)
+        }
+    }, [appId, buildId, isDockerfileScanEnabled, recommendationStatus, reloadScanRecommendationsResult])
+
+    return {
+        scanRecommendationsResultLoading,
+        scanRecommendationsResultResponse,
+        scanRecommendationsResultError,
+        reloadScanRecommendationsResult,
+    }
+}

src/components/app/details/appDetails/appDetails.type.ts

@@ -24,6 +24,7 @@ import {
     EnvAppsMetaDTO,
     OptionType,
     ResponseType,
+    ScanRecommendationsDTO,
     ScanResultDTO,
     SelectPickerProps,
     ServerErrors,
@@ -176,13 +177,20 @@ export interface UseGetAppSecurityDetailsProps {
     envId?: number
     installedAppId?: number
     artifactId?: number
+    buildId?: number
 }
 export interface UseGetAppSecurityDetailsReturnType {
     scanResultLoading: boolean
     scanResultResponse: ResponseType<ScanResultDTO>
     scanResultError: ServerErrors
     reloadScanResult: () => void
 }
+export interface UseSecurityRecommendationReturnType {
+    scanRecommendationsResultLoading: boolean
+    scanRecommendationsResultResponse: ResponseType<ScanRecommendationsDTO>
+    scanRecommendationsResultError: ServerErrors
+    reloadScanRecommendationsResult: () => void
+}
 
 export enum HibernationModalTypes {
     HIBERNATE = 'hibernate',