Skip to content

[wip] Chore/docker security improvements #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AndyBoWu wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[wip] Chore/docker security improvements #136

AndyBoWu wants to merge 3 commits into from

Conversation

@AndyBoWu
Copy link
Member

@AndyBoWu AndyBoWu commented Jul 10, 2025

Summary

This PR enhances the Docker container security and CI/CD pipeline following security best practices.

Changes

Docker Security Improvements

  • Run container as non-root user (story with UID 1000) for better security
  • Add build arguments (VERSION, COMMIT, BUILDNUM) for proper metadata tracking
  • Add OCI standard labels for improved container management
  • Set explicit ENTRYPOINT for better container usability
  • Optimize .dockerignore to reduce build context size

CI/CD Enhancements

  • Pin all GitHub Actions to specific SHA hashes for supply chain security
  • Add Trivy vulnerability scanner with SARIF upload to GitHub Security tab
  • Switch from local cache to GitHub Actions cache for better performance
  • Add explicit permissions following principle of least privilege
  • Add Dependabot configuration for automated dependency updates

AndyBoWu added 3 commits July 10, 2025 13:29
@AndyBoWu
chore(git): add AI assistant files to gitignore
dbca8b3
@AndyBoWu
chore(docker): add non-root user and security improvements
35fc74a 
- Run container as non-root 'story' user (UID 1000)
- Add build arguments for version metadata
- Add OCI standard labels for container management
- Optimize .dockerignore for smaller build context
- Add explicit ENTRYPOINT for better usability
@AndyBoWu
chore(ci): enhance workflow security and add vulnerability scanning
7c29cd2 
- Pin all GitHub Actions to SHA for supply chain security
- Add Trivy vulnerability scanner with SARIF upload
- Switch from local to GitHub Actions cache
- Add explicit permissions for least privilege
- Add Dependabot for automated dependency updates
@stevemilk stevemilk changed the title Chore/docker security improvements [wip] Chore/docker security improvements Jul 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wo-o wo-o Awaiting requested review from wo-o wo-o is a code owner

@kingster-will kingster-will Awaiting requested review from kingster-will kingster-will is a code owner

@LeoHChen LeoHChen Awaiting requested review from LeoHChen LeoHChen is a code owner

@stevemilk stevemilk Awaiting requested review from stevemilk stevemilk is a code owner

@0xHansLee 0xHansLee Awaiting requested review from 0xHansLee 0xHansLee is a code owner

@edisonz0718 edisonz0718 Awaiting requested review from edisonz0718 edisonz0718 is a code owner

@limengformal limengformal Awaiting requested review from limengformal limengformal is a code owner

@sebsadface sebsadface Awaiting requested review from sebsadface sebsadface is a code owner

@ramtinms ramtinms Awaiting requested review from ramtinms ramtinms is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndyBoWu