Retain files and directories in your hardened images using profile files
By default, when hardening an image, RapidFort removes everything that was not detected as being used while profiling the runtime behavior.
In general, the best way to ensure that your hardened image will contain necessary dependencies is to maximize test coverage when profiling the stub image.
However, this may not always be feasible. Therefore, RapidFort provides the ability to specify files, directories, or packages that you would like to keep in the hardened image.
To keep files, directories, or packages in the hardened image, create a profile file and provide this when hardening the image.
rfharden <stub_image> -p <profile_file>
Profile files can also be built into your images under the name .rfprofile by adding the following line to your Dockerfile:
FROM myimage:latest
ADD /mydir/myprofile /.rfprofile
The .rfprofile must be placed at the location /.rfprofile in order to be detected.
If an .rfprofile has been added to your image, you will no longer need to provide a profile file when hardening the image.
rfharden <stub_image>
Adding packages to hardening profile files
In order to include a package in your hardened image, you may add it to your hardening profile using the following syntax:
{package_name:package_version}
or
{package_name:package_version:package_source_type}
Curly brace delimiters must be used. The package name and version must at least be provided. If you have the same package from multiple source types, you may add a source type in order to specify which one you would like to keep.
The profile file uses the gitignore syntax.