# Sealing Linux Environments ## Code examples Here are some simple usage examples of using the Seal CLI to fix all the vulnerable packages running on a Linux machine, both the operating system packages and those of an application running on it. ### Fix simple Docker container In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image. Let's assume this is the initial Dockerfile: ```docker # Start from the official CentOS 7 image FROM --platform=linux/amd64 centos:centos7 # Use the vault repo instead of the default one, as it's deprecated RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \ sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/* ``` We will add to **the end** of the Dockerfile the following lines: ```docker # Seal environment variables ENV SEAL_USE_SEALED_NAMES=true # Download the CLI ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \ # Fix the OS libraries SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \ # Clean up rm -f seal ``` The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7. To build this Dockerfile you will need to run the following command with your [token](https://docs.sealsecurity.io/fundamentals/artifact-server/generating-a-token) to the Seal artifact server: ```bash docker build --platform=linux/amd64 --secret id=SEAL_TOKEN,env=SEAL_TOKEN . ``` ### Fix Docker container running a Javascript app In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image and a simple Javascript application. Let's assume this is the initial Dockerfile: ```docker # Start from the official CentOS 7 image FROM --platform=linux/amd64 centos:centos7 # Use the vault repo instead of the default one, as it's deprecated RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \ sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/* # Install node.js & npm RUN yum install epel-release -y && yum install -y nodejs npm psmisc && yum clean all # Add the application files to /app ADD package.json package-lock.json app /app/ WORKDIR /app # Install the application dependencies RUN npm install --no-audit # Set the startup command CMD ["npm", "run", "start-server"] ``` We will add to **the end** of the Dockerfile the following lines: ```docker # Seal environment variables ENV SEAL_USE_SEALED_NAMES=true # Download the CLI ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \ # Fix the NPM libraries SEAL_PROJECT=app-demo ./seal fix --mode=all --upload-scan-results && \ # Fix the OS libraries SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \ # Clean up rm -f seal ``` The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7, as well as the vulnerable application. To build this Dockerfile you will need to run the following command with your [token](https://docs.sealsecurity.io/fundamentals/artifact-server/generating-a-token) to the Seal artifact server: ```bash docker build --platform=linux/amd64 --secret id=SEAL_TOKEN,env=SEAL_TOKEN . ```