Skip to content

Feat/docker security#21

Open
PuneethM-06 wants to merge 6 commits into
feat/docker-composefrom
feat/docker-security
Open

Feat/docker security#21
PuneethM-06 wants to merge 6 commits into
feat/docker-composefrom
feat/docker-security

Conversation

@PuneethM-06

Copy link
Copy Markdown
Owner

Summary

This PR hardens the linux-sysmonitor Docker image by applying Docker security best practices and documenting the results of a Trivy vulnerability assessment.

Changes Made

  • Performed a baseline Trivy vulnerability scan on the Docker image.
  • Pinned the Debian base image to a specific version (debian:12.11-slim) for reproducible builds.
  • Reduced the runtime attack surface by installing packages with --no-install-recommends.
  • Removed apt package metadata after installation to keep the image lean.
  • Added a dedicated non-root user (appuser) and configured the container to run without root privileges.
  • Rebuilt the hardened Docker image and performed a follow-up Trivy scan.
  • Added SECURITY.md documenting the baseline scan, hardening steps, final scan, and comparison of results.

Security Notes

The container now follows several Docker security best practices, including running as a non-root user and minimizing installed packages. The remaining vulnerabilities originate from Debian base packages and runtime dependencies. Several are reported by Trivy as will_not_fix, affected, or fix_deferred, indicating that no upstream patched version was available at the time of scanning.

Closes #16.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant