# Sealing Linux Environments ## Code examples Here are some simple usage examples of using the Seal CLI to fix all the vulnerable packages running on a Linux machine, both the operating system packages and those of an application running on it. ### Fix simple Docker container In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image. Let's assume this is the initial Dockerfile: ```docker # Start from the official CentOS 7 image FROM --platform=linux/amd64 centos:centos7 # Use the vault repo instead of the default one, as it's deprecated RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \ sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/* ``` We will add to **the end** of the Dockerfile the following lines: ```docker # Seal environment variables ENV SEAL_USE_SEALED_NAMES=true # Download the CLI ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \ # Fix the OS libraries SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \ # Clean up rm -f seal ``` The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7. To build this Dockerfile you will need to run the following command with your [token](/fundamentals/artifact-server/generating-a-token.md) to the Seal artifact server: ```bash docker build --platform=linux/amd64 --secret id=SEAL_TOKEN,env=SEAL_TOKEN . ``` ### Fix Docker container running a Javascript app In this example we fix all the vulnerabilities in a Docker container running a CentOS 7 image and a simple Javascript application. Let's assume this is the initial Dockerfile: ```docker # Start from the official CentOS 7 image FROM --platform=linux/amd64 centos:centos7 # Use the vault repo instead of the default one, as it's deprecated RUN sed -i 's/^mirrorlist/\#mirrorlist/' /etc/yum.repos.d/* && \ sed -i 's/^\#baseurl=http:\/\/mirror.centos.org\/centos\/\$releasever\//baseurl=https:\/\/vault.centos.org\/7.9.2009\//' /etc/yum.repos.d/* # Install node.js & npm RUN yum install epel-release -y && yum install -y nodejs npm psmisc && yum clean all # Add the application files to /app ADD package.json package-lock.json app /app/ WORKDIR /app # Install the application dependencies RUN npm install --no-audit # Set the startup command CMD ["npm", "run", "start-server"] ``` We will add to **the end** of the Dockerfile the following lines: ```docker # Seal environment variables ENV SEAL_USE_SEALED_NAMES=true # Download the CLI ADD --chmod=755 https://github.com/seal-community/cli/releases/download/latest/seal-linux-amd64-latest seal RUN --mount=type=secret,id=SEAL_TOKEN,env=SEAL_TOKEN \ # Fix the NPM libraries SEAL_PROJECT=app-demo ./seal fix --mode=all --upload-scan-results && \ # Fix the OS libraries SEAL_PROJECT=os-demo ./seal fix --os --mode=all --upload-scan-results && \ # Clean up rm -f seal ``` The result will be a Dockerfile that fixes all the vulnerable packages in CentOS 7, as well as the vulnerable application. To build this Dockerfile you will need to run the following command with your [token](/fundamentals/artifact-server/generating-a-token.md) to the Seal artifact server: ```bash docker build --platform=linux/amd64 --secret id=SEAL_TOKEN,env=SEAL_TOKEN . ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sealsecurity.io/fundamentals/cli/usage-examples/sealing-linux-environments.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.