From fb043f472d6701490726df38f2282532e3a99ec9 Mon Sep 17 00:00:00 2001 From: PuneethM-06 Date: Tue, 14 Jul 2026 09:04:13 +0000 Subject: [PATCH 1/6] docker --- dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dockerfile b/dockerfile index 0f7b067..c40a183 100644 --- a/dockerfile +++ b/dockerfile @@ -4,7 +4,7 @@ # the application, while the runtime contains only the files and dependencies required # to execute the script. -FROM debian:bookworm-slim AS builder +FROM debian:12.11-slim AS builder WORKDIR /app @@ -12,7 +12,7 @@ WORKDIR /app COPY linux-sysmonitor/ . RUN chmod +x health-check.sh -FROM debian:bookworm-slim +FROM debian:12.11-slim WORKDIR /app From 7db0b6e624f26934cf31a699189f98ee306e8760 Mon Sep 17 00:00:00 2001 From: PuneethM-06 Date: Tue, 14 Jul 2026 09:05:41 +0000 Subject: [PATCH 2/6] docker --- dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dockerfile b/dockerfile index c40a183..d0bcd4c 100644 --- a/dockerfile +++ b/dockerfile @@ -18,7 +18,8 @@ WORKDIR /app COPY --from=builder /app/health-check.sh . -RUN apt-get update && apt-get install -y \ +RUN apt-get update && \ + apt-get install -y --no-install-recommends\ procps \ iputils-ping \ iproute2 \ From 918cafb1dda4611432854f162ed52117ded659ba Mon Sep 17 00:00:00 2001 From: PuneethM-06 Date: Tue, 14 Jul 2026 09:17:19 +0000 Subject: [PATCH 3/6] docker --- dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dockerfile b/dockerfile index d0bcd4c..8f0e49b 100644 --- a/dockerfile +++ b/dockerfile @@ -24,5 +24,12 @@ RUN apt-get update && \ iputils-ping \ iproute2 \ bash && rm -rf /var/lib/apt/lists/* + +RUN useradd --system \ + --create-home \ + --shell /var/sbin/nologin \ + appuser && \ + chown -R appuser:appuser /app + ENTRYPOINT [ "./health-check.sh" ] From 1fd432d7bb86483515c8140e38d846e4c81c7753 Mon Sep 17 00:00:00 2001 From: PuneethM-06 Date: Tue, 14 Jul 2026 09:17:35 +0000 Subject: [PATCH 4/6] docker --- dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfile b/dockerfile index 8f0e49b..d1c4045 100644 --- a/dockerfile +++ b/dockerfile @@ -27,7 +27,7 @@ RUN apt-get update && \ RUN useradd --system \ --create-home \ - --shell /var/sbin/nologin \ + --shell /usr/sbin/nologin \ appuser && \ chown -R appuser:appuser /app From 30fe0f3f74379c76832e20418edc1b28706e1cf2 Mon Sep 17 00:00:00 2001 From: PuneethM-06 Date: Tue, 14 Jul 2026 09:17:55 +0000 Subject: [PATCH 5/6] docker --- dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dockerfile b/dockerfile index d1c4045..2b317c9 100644 --- a/dockerfile +++ b/dockerfile @@ -30,6 +30,8 @@ RUN useradd --system \ --shell /usr/sbin/nologin \ appuser && \ chown -R appuser:appuser /app - + +USER appuser + ENTRYPOINT [ "./health-check.sh" ] From 6f2f776b2c9ee9500e588a853cf6b765460dbdb4 Mon Sep 17 00:00:00 2001 From: PuneethM-06 Date: Tue, 14 Jul 2026 09:27:31 +0000 Subject: [PATCH 6/6] docker --- linux-sysmonitor/security.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 linux-sysmonitor/security.md diff --git a/linux-sysmonitor/security.md b/linux-sysmonitor/security.md new file mode 100644 index 0000000..e169fee --- /dev/null +++ b/linux-sysmonitor/security.md @@ -0,0 +1,32 @@ +# Security Assessment + +## Baseline Scan (linux-sysmonitor:v2) + +- Critical: 2 +- High: Multiple +- Medium: Multiple +- Low: Multiple + +## Hardening Changes + +- Pinned base image to `debian:12.11-slim` +- Used `--no-install-recommends` +- Removed apt package cache +- Created dedicated non-root user (`appuser`) +- Configured container to run as `appuser` +- Kept runtime image minimal using a multi-stage build + +## Final Scan (linux-sysmonitor:v3) + +- Critical: 2 +- High: Multiple +- Medium: Multiple +- Low: Multiple + +## Comparison + +The vulnerability count remained unchanged because the remaining findings originate from Debian base packages and runtime dependencies. Several vulnerabilities are marked by Trivy as `will_not_fix`, `affected`, or `fix_deferred`, indicating that no upstream patched version was available at the time of scanning. + +## Conclusion + +Although the vulnerability count did not decrease, the image was hardened by following Docker security best practices, including pinning the base image, minimizing installed packages, and running the container as a dedicated non-root user. \ No newline at end of file