diff --git a/dockerfile b/dockerfile index 0f7b067..2b317c9 100644 --- a/dockerfile +++ b/dockerfile @@ -4,7 +4,7 @@ # the application, while the runtime contains only the files and dependencies required # to execute the script. -FROM debian:bookworm-slim AS builder +FROM debian:12.11-slim AS builder WORKDIR /app @@ -12,16 +12,26 @@ WORKDIR /app COPY linux-sysmonitor/ . RUN chmod +x health-check.sh -FROM debian:bookworm-slim +FROM debian:12.11-slim WORKDIR /app COPY --from=builder /app/health-check.sh . -RUN apt-get update && apt-get install -y \ +RUN apt-get update && \ + apt-get install -y --no-install-recommends\ procps \ iputils-ping \ iproute2 \ bash && rm -rf /var/lib/apt/lists/* + +RUN useradd --system \ + --create-home \ + --shell /usr/sbin/nologin \ + appuser && \ + chown -R appuser:appuser /app + +USER appuser + ENTRYPOINT [ "./health-check.sh" ] diff --git a/linux-sysmonitor/security.md b/linux-sysmonitor/security.md new file mode 100644 index 0000000..e169fee --- /dev/null +++ b/linux-sysmonitor/security.md @@ -0,0 +1,32 @@ +# Security Assessment + +## Baseline Scan (linux-sysmonitor:v2) + +- Critical: 2 +- High: Multiple +- Medium: Multiple +- Low: Multiple + +## Hardening Changes + +- Pinned base image to `debian:12.11-slim` +- Used `--no-install-recommends` +- Removed apt package cache +- Created dedicated non-root user (`appuser`) +- Configured container to run as `appuser` +- Kept runtime image minimal using a multi-stage build + +## Final Scan (linux-sysmonitor:v3) + +- Critical: 2 +- High: Multiple +- Medium: Multiple +- Low: Multiple + +## Comparison + +The vulnerability count remained unchanged because the remaining findings originate from Debian base packages and runtime dependencies. Several vulnerabilities are marked by Trivy as `will_not_fix`, `affected`, or `fix_deferred`, indicating that no upstream patched version was available at the time of scanning. + +## Conclusion + +Although the vulnerability count did not decrease, the image was hardened by following Docker security best practices, including pinning the base image, minimizing installed packages, and running the container as a dedicated non-root user. \ No newline at end of file