feature: Allow appending an arbitrary validation command to the built image

[johnstcn]

Motivation

Some image building workflows involve a final RUN command that serves to in some way validate the built image before pushing it to a remote registry (example).

For example, we may want to run a security scan of the image for CVEs using e.g. trivy, or perform a final confidence check on the image using e.g. goss.

With Envbuilder, the built image is only available inside the running envbuilder container, so it can't be scanned easily by external processes.

Solution

Allow appending an arbitrary RUN command to the Dockerfile produced by Envbuilder. An example of such a command could be:

RUN curl -fsSL -o /tmp/validate.sh https://host.internal/validate.sh && \
    chmod +x /tmp/validate.sh && \
    /tmp/validate.sh && \
    rm -f /tmp/validate.sh

Alternatives

The above behaviour can be approximated with no code changes with the below:

• Append a RUN command to the Dockerfile containing the specific check(s) they wish to run, or
• Add the required validation steps to devcontainer.json as e.g. postCreateCommand, or
• Create a specific devcontainer feature that runs the desired validation commands.