Sealing Linux Environments

Code examples

Here are some simple usage examples of using the Seal CLI to fix all the vulnerable packages running on a Linux machine, both the operating system packages and those of an application running on it.

Fix simple Docker container

In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image. Let's assume this is the initial Dockerfile:

# Start from the official CentOS 7 image
FROM --platform=linux/amd64 centos:centos7

# Use the vault repo instead of the default one, as it's deprecated
RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \
    sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/*

We will add to the end of the Dockerfile the following lines:

# Seal environment variables
ENV SEAL_USE_SEALED_NAMES=true
# Download the CLI
ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal 
RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \
    # Fix the OS libraries
    SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \
    # Clean up
    rm -f seal

The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7.

To build this Dockerfile you will need to run the following command with your token to the Seal artifact server:

docker build --platform=linux/amd64 --secret id=SEAL_TOKEN,env=SEAL_TOKEN .

Fix Docker container running a Javascript app

In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image and a simple Javascript application. Let's assume this is the initial Dockerfile:

# Start from the official CentOS 7 image
FROM --platform=linux/amd64 centos:centos7

# Use the vault repo instead of the default one, as it's deprecated
RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \
    sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/*

# Install node.js & npm
RUN yum install epel-release -y && yum install -y nodejs npm psmisc && yum clean all

# Add the application files to /app
ADD package.json package-lock.json app /app/
WORKDIR /app

# Install the application dependencies
RUN npm install --no-audit

# Set the startup command
CMD ["npm", "run", "start-server"]

We will add to the end of the Dockerfile the following lines:

# Seal environment variables
ENV SEAL_USE_SEALED_NAMES=true
# Download the CLI
ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal 
RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \
    # Fix the NPM libraries
    SEAL_PROJECT=app-demo ./seal fix --mode=all --upload-scan-results && \
    # Fix the OS libraries
    SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \
    # Clean up
    rm -f seal

The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7, as well as the vulnerable application.

To build this Dockerfile you will need to run the following command with your token to the Seal artifact server:

docker build --platform=linux/amd64 --secret id=SEAL_TOKEN,env=SEAL_TOKEN .
PreviousSealing Application DependenciesNextArtifact Server

Last updated