CyberChef
CyberChef copied to clipboard
gchq
Bundle CyberChef into a container and publish to GCHR
Bundle CyberChef into a container and publish to GCHR
Yet another attempt at bundling CyberChef into a container! There have been various attempts made before this one but they all seem to have been abandoned:
- https://github.com/gchq/CyberChef/pull/1663
- https://github.com/gchq/CyberChef/pull/1215
- https://github.com/gchq/CyberChef/pull/1140
- https://github.com/gchq/CyberChef/pull/677
- https://github.com/gchq/CyberChef/pull/675
- https://github.com/gchq/CyberChef/pull/670
- https://github.com/gchq/CyberChef/pull/178
But as the famous saying goes "8th time's the charm" and maybe this PR will be the one that finally does it.
This PR adds a:
-
Containerfilewhich usessimple-web-servera lightweight HTTP server built in rust for serving static files built in rust to serve CyberChef. - New steps to the
release.ymlworkflow- A step using
docker-metadata-actionwhich generates tags to be applied to the image from the release version (1,1.0,1.0.0andlatest) - A step using
buildahto build an OCI compliant container image. It builds a both an ARM64 image and a AMD64 image. - And finally a step to push the built container to GHCR using the GITHUB_TOKEN built into github actions.
- A step using
- A step to the
pull-requests.ymlworkflow to verify that the Containerfile builds correctly
and a couple of flyby fixes that can be dropped if needs be:
- A version bump to ChromeDriver, fixing the failing UI tests being experience by all PRs. This was caused by a bump to Chrome in the
ubuntu-latestrunner. It looks like another user has also attempted this in https://github.com/gchq/CyberChef/pull/1656 - Switch the Release workflow to use
npm ciinstead ofnpm install.npm cirespects thepackage-lock.jsonfile whereasnpm installwill try and bump dependencies which is not ideal in a CI workflow as it adds uncertainty into which dependencies are being used in your production bundle.
Related to https://github.com/gchq/CyberChef/issues/1280
Why?
Theres various un-official images floating around of CyberChef, although I'm sure most of them are probably fine, but for a tool such as CyberChef where I'm inputting potential sensitive data I'd rather not take any chances.
Testing
I've published a version built on my own fork to ghcr.io/ashcorr/cyberchef:latest which may be used for testing.
podman run -p 8080:80 -it ghcr.io/ashcorr/cyberchef:latest or docker run -p 8080:80 -it ghcr.io/ashcorr/cyberchef:latest
Fixed some merge conflicts from another PR that updated
chromedriver.
Thanks!
When building this container locally, I notice it comes with a lot of context. Could we add a .dockerignore file so we transfer less other stuff? E.g.
node_modules
npm-debug.log
travis.log
build
.vscode
.idea
.*.swp
**/*.DS_Store
tests/browser/output/*
.node-version
This is relevant as well for this issue: https://github.com/gchq/CyberChef/issues/1582 Not sure if that is fixed or not, but for a production-build, there should be as few unnecessary components as possible.
@SebastianThorn A fair point. I'm inclined to merge this PR in even if it does require internet to compile, then accept other PRs to improve the process? A single PR doesn't necessarily need to be perfect, and I'm happy that a future improvement to allow offline building wouldn't impact existing users of this feature.
As you've reference my closed PR, I thought I would drop a comment and say this will be a great addition. Feel free to copy anything from my PR into this branch e.g. dockerignore.
I think for me as a user the main thing that is missing is an update to the README that demonstrates how to build with docker/podman and how an end-user might deploy this.
tyvm
I'm going to merge this as is, because this conversation already has over three dozen comments. Happy to accept other PRs for improvements! 👍
Thanks so much for this @AshCorr. I love how you saw the other 7 PRs and decided to make an 8th 😛, persistence is the key!
@AshCorr Seems to be erroring on permissions, see: https://github.com/gchq/CyberChef/actions/runs/7879757258/job/21500616862
@AshCorr Seems to be erroring on permissions, see: https://github.com/gchq/CyberChef/actions/runs/7879757258/job/21500616862
Odd, I didn't touch that action thats erroring. I wonder if something wonky has happened where defining an explicit packages: write permission has caused default permissions to not be applied? My earlier statement of "Github permissions always confuse me" I think is relevant again 😅
By the looks of it you should be able to add an explicit contents: write permission to fix this, see https://github.com/svenstaro/upload-release-action/issues/70#issuecomment-1502670461
Ah yes, that does appear to be the case as per https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
You can use the permissions key in your workflow file to modify permissions for the GITHUB_TOKEN for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job. When the permissions key is used, all unspecified permissions are set to no access, with the exception of the metadata scope, which always gets read access.
My apologies for missing that! I believe I commented out this action on my fork as I couldn't get it working, I assumed it was due to it being run on a fork, not due to lack of permissions.
No worries, super not clear. Removing all permissions and just using the defaults appear to have worked well!
Package now available here! https://github.com/gchq/CyberChef/pkgs/container/cyberchef
@AshCorr
No worries, super not clear. Removing all permissions and just using the defaults appear to have worked well!
Package now available here! https://github.com/gchq/CyberChef/pkgs/container/cyberchef
@AshCorr
Looks to be working! Thanks!