https://github.com/Shopify/hansel

https://github.com/Shopify/hansel

Last synced: 29 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/Shopify/hansel
• Owner: Shopify
• License: mit
• Created: 2022-05-06T14:14:00.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2024-09-09T11:26:35.000Z (3 months ago)
• Last Synced: 2024-09-09T13:35:15.215Z (3 months ago)
• Language: Go
• Size: 362 KB
• Stars: 14
• Watchers: 246
• Forks: 6
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

• awesome-software-supply-chain-security - Shopify/hansel

README

        
# Hansel

![OpenSSF Scorecard Badge](https://api.securityscorecards.dev/projects/github.com/Shopify/hansel/badge)

Hansel generates empty linux packages. These packages can be installed to track dependencies manually added to a container image.

[![Usage example](https://asciinema.org/a/497735.svg)](https://asciinema.org/a/497735)

## Usage

You can add hansel to an image, and generate + install tracking packages for dependencies in a single step:

```dockerfile

FROM node:18-alpine

COPY --from=ghcr.io/shopify/hansel:latest /usr/bin/hansel /usr/bin/hansel

RUN hansel --name node --version "$(node -v | sed -e's/^v//g')" --install

```

You can use hansel in a multistep build to generate and install separately:

```dockerfile

FROM ghcr.io/shopify/hansel:latest AS crumbs

RUN hansel --name rando-thing --version 1.2.3 --debian

FROM debian:bullseye

RUN curl -o /usr/bin/rando-thing https://rando.thing/v1.2.3/unsigned-blob-yolo

COPY --from=crumbs /rando-thing*.deb /tmp/rando-thing.deb

RUN dpkg -i /tmp/rando-thing.deb && \

    rm /tmp/rando-thing.deb

```

The name is inspired by [Hansel and Gretel](https://en.wikipedia.org/wiki/Hansel_and_Gretel), as the packages are breadcrumbs left for container scanners to identify.