Skip to content

feat: add DIA-NN 2.5.0 container #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ypriverol merged 1 commit into from
Apr 13, 2026
Merged

feat: add DIA-NN 2.5.0 container #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .github/workflows/quantms-containers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ jobs:
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
filters: |
diann_2_5_0: [ 'diann-2.5.0/**', '.github/workflows/**' ]
diann_2_3_2: [ 'diann-2.3.2/**', '.github/workflows/**' ]
diann_2_2_0: [ 'diann-2.2.0/**', '.github/workflows/**' ]
diann_2_1_0: [ 'diann-2.1.0/**', '.github/workflows/**' ]
Expand All @@ -55,6 +56,7 @@ jobs:
id: set-matrix
env:
EVENT: ${{ github.event_name }}
CHG_250: ${{ steps.filter.outputs.diann_2_5_0 }}
CHG_232: ${{ steps.filter.outputs.diann_2_3_2 }}
CHG_220: ${{ steps.filter.outputs.diann_2_2_0 }}
CHG_210: ${{ steps.filter.outputs.diann_2_1_0 }}
Expand All @@ -64,7 +66,8 @@ jobs:
CHG_RLK: ${{ steps.filter.outputs.relink_1_0_0 }}
run: |
DIANN_ALL='[
{"context":"diann-2.3.2","tag":"ghcr.io/bigbio/diann:2.3.2","sif":"diann-sif:2.3.2","extra_tags":"ghcr.io/bigbio/diann:latest","chg":"CHG_232"},
{"context":"diann-2.5.0","tag":"ghcr.io/bigbio/diann:2.5.0","sif":"diann-sif:2.5.0","extra_tags":"ghcr.io/bigbio/diann:latest","chg":"CHG_250"},
{"context":"diann-2.3.2","tag":"ghcr.io/bigbio/diann:2.3.2","sif":"diann-sif:2.3.2","extra_tags":"","chg":"CHG_232"},
{"context":"diann-2.2.0","tag":"ghcr.io/bigbio/diann:2.2.0","sif":"diann-sif:2.2.0","extra_tags":"","chg":"CHG_220"},
{"context":"diann-2.1.0","tag":"ghcr.io/bigbio/diann:2.1.0","sif":"diann-sif:2.1.0","extra_tags":"","chg":"CHG_210"},
{"context":"diann-2.0.2","tag":"ghcr.io/bigbio/diann:2.0.2","sif":"diann-sif:2.0.2","extra_tags":"","chg":"CHG_20"},
Expand All @@ -79,9 +82,10 @@ jobs:
DIANN=$(echo "$DIANN_ALL" | jq -c '[.[] | del(.chg)]')
RELINK=$(echo "$RELINK_ALL" | jq -c '[.[] | del(.chg)]')
else
DIANN=$(echo "$DIANN_ALL" | jq -c --arg c232 "${CHG_232:-false}" --arg c220 "${CHG_220:-false}" --arg c210 "${CHG_210:-false}" \
DIANN=$(echo "$DIANN_ALL" | jq -c --arg c250 "${CHG_250:-false}" --arg c232 "${CHG_232:-false}" --arg c220 "${CHG_220:-false}" --arg c210 "${CHG_210:-false}" \
--arg c20 "${CHG_20:-false}" --arg c192 "${CHG_192:-false}" --arg c181 "${CHG_181:-false}" \
'[.[] | select(
(.chg == "CHG_250" and $c250 == "true") or
(.chg == "CHG_232" and $c232 == "true") or
(.chg == "CHG_220" and $c220 == "true") or
(.chg == "CHG_210" and $c210 == "true") or
Expand Down
52 changes: 52 additions & 0 deletions diann-2.5.0/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
FROM ubuntu:22.04
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Drop root at runtime.

The container currently runs as root. Add a dedicated unprivileged user and switch to it before WORKDIR /data/.

🛡️ Proposed hardening 
-WORKDIR /data/
+RUN useradd --create-home --uid 10001 --shell /usr/sbin/nologin diann && \
+    mkdir -p /data && \
+    chown -R diann:diann /data
+USER diann
+WORKDIR /data/

Also applies to: 50-50

🧰 Tools
🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@diann-2.5.0/Dockerfile` at line 1, Add a non-root user and switch to it in
the Dockerfile: create a dedicated unprivileged user/group (e.g., appuser),
ensure /data is created and owned by that user (chown/chgrp) during image build,
then set USER to that unprivileged account before the WORKDIR /data/ instruction
so the container runs unprivileged; update related RUN commands that create
files under /data/ to use the new user or to perform chown as part of the build.


# Some metadata
LABEL base_image="ubuntu:22.04"
LABEL version="2"
LABEL software="diann"
LABEL software.version="2.5.0"
LABEL about.summary="DIA-NN - a universal software for data-independent acquisition (DIA) proteomics data processing."
LABEL about.home="https://github.com/vdemichev/DiaNN"
LABEL about.documentation="https://github.com/vdemichev/DiaNN"
LABEL about.license_file="https://github.com/vdemichev/DiaNN/LICENSE.txt"
LABEL about.tags="Proteomics"
LABEL maintainer="Yasset Perez-Riverol <ypriverol@gmail.com>"

ENV DEBIAN_FRONTEND=noninteractive

# Update package lists and ensure package versions are up to date, Install necessary packages
RUN apt-get update && apt-get install -y --no-install-recommends \
wget \
unzip \
libgomp1 \
locales && \
rm -rf /var/lib/apt/lists/*

# Configure locale to avoid runtime errors
RUN locale-gen en_US.UTF-8 && \
update-locale LANG=en_US.UTF-8

# Set environment variables for locale
ENV LANG=en_US.UTF-8
ENV LANGUAGE=en_US:en
ENV LC_ALL=en_US.UTF-8

# Download and install DIA-NN
RUN wget --no-check-certificate https://github.com/vdemichev/DiaNN/releases/download/2.0/DIA-NN-2.5.0-Academia-Linux.zip && \
unzip DIA-NN-2.5.0-Academia-Linux.zip -d /usr/ && \
rm DIA-NN-2.5.0-Academia-Linux.zip
Comment on lines +35 to +37
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Remove insecure download flag and verify artifact integrity.

Disabling certificate verification here is a release-blocking supply-chain risk. Keep TLS verification enabled and add checksum verification before unzip.

🔒 Proposed fix 
+ARG DIANN_URL="https://github.com/vdemichev/DiaNN/releases/download/2.0/DIA-NN-2.5.0-Academia-Linux.zip"
+ARG DIANN_SHA256="<official_sha256_here>"
-RUN wget --no-check-certificate https://github.com/vdemichev/DiaNN/releases/download/2.0/DIA-NN-2.5.0-Academia-Linux.zip && \
-    unzip DIA-NN-2.5.0-Academia-Linux.zip -d /usr/ && \
-    rm DIA-NN-2.5.0-Academia-Linux.zip
+RUN wget -O /tmp/diann.zip "$DIANN_URL" && \
+    echo "${DIANN_SHA256}  /tmp/diann.zip" | sha256sum -c - && \
+    unzip /tmp/diann.zip -d /usr/ && \
+    rm /tmp/diann.zip
🧰 Tools
🪛 Checkov (3.2.513)

[high] 35-37: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@diann-2.5.0/Dockerfile` around lines 35 - 37, Remove the insecure wget flag
and add checksum verification: replace the RUN line that downloads and unzips
"DIA-NN-2.5.0-Academia-Linux.zip" so it uses a TLS-verified download (remove
--no-check-certificate or use curl -fsSL), also download the corresponding
checksum file (e.g. "DIA-NN-2.5.0-Academia-Linux.zip.sha256" or ".sha256sum")
from the same GitHub release, verify the archive with sha256sum -c (or echo
"<expected>  DIA-NN-2.5.0-Academia-Linux.zip" | sha256sum -c -) and fail the
build if the check fails, then unzip "DIA-NN-2.5.0-Academia-Linux.zip" and
remove both the zip and checksum files; update the RUN block that references
these filenames accordingly.


# Remove unnecessary packages
RUN apt-get remove -y wget unzip && apt-get autoremove -y && apt-get clean && \
rm -rf /var/lib/apt/lists/*

# Set appropriate permissions for the DIA-NN folder
RUN chmod +x /usr/diann-2.5.0/diann-linux

# Create a symbolic link and add to PATH
RUN ln -s /usr/diann-2.5.0/diann-linux /usr/diann-2.5.0/diann
ENV PATH="$PATH:/usr/diann-2.5.0"

WORKDIR /data/

# NOTE: It is entirely the user's responsibility to ensure compliance with DIA-NN license terms.
Loading