Here are some simple usage examples of using the Seal CLI to fix all the vulnerable packages running on a Linux machine, both the operating system packages and those of an application running on it.
Fix simple Docker container
In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image. Let's assume this is the initial Dockerfile:
# Start from the official CentOS 7 image
FROM --platform=linux/amd64 centos:centos7
# Use the vault repo instead of the default one, as it's deprecated
RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \
sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/*
We will add to the end of the Dockerfile the following lines:
# Seal environment variables
ENV SEAL_USE_SEALED_NAMES=true
# Download the CLI
ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal
RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \
# Fix the OS libraries
SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \
# Clean up
rm -f seal
The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7.
In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image and a simple Javascript application. Let's assume this is the initial Dockerfile:
# Start from the official CentOS 7 image
FROM --platform=linux/amd64 centos:centos7
# Use the vault repo instead of the default one, as it's deprecated
RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \
sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/*
# Install node.js & npm
RUN yum install epel-release -y && yum install -y nodejs npm psmisc && yum clean all
# Add the application files to /app
ADD package.json package-lock.json app /app/
WORKDIR /app
# Install the application dependencies
RUN npm install --no-audit
# Set the startup command
CMD ["npm", "run", "start-server"]
We will add to the end of the Dockerfile the following lines:
# Seal environment variables
ENV SEAL_USE_SEALED_NAMES=true
# Download the CLI
ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal
RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \
# Fix the NPM libraries
SEAL_PROJECT=app-demo ./seal fix --mode=all --upload-scan-results && \
# Fix the OS libraries
SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \
# Clean up
rm -f seal
The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7, as well as the vulnerable application.
