Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 13 additions & 3 deletions dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,34 @@
# the application, while the runtime contains only the files and dependencies required
# to execute the script.

FROM debian:bookworm-slim AS builder
FROM debian:12.11-slim AS builder


WORKDIR /app

COPY linux-sysmonitor/ .
RUN chmod +x health-check.sh

FROM debian:bookworm-slim
FROM debian:12.11-slim

WORKDIR /app

COPY --from=builder /app/health-check.sh .

RUN apt-get update && apt-get install -y \
RUN apt-get update && \
apt-get install -y --no-install-recommends\
procps \
iputils-ping \
iproute2 \
bash && rm -rf /var/lib/apt/lists/*

RUN useradd --system \
--create-home \
--shell /usr/sbin/nologin \
appuser && \
chown -R appuser:appuser /app

USER appuser

ENTRYPOINT [ "./health-check.sh" ]

32 changes: 32 additions & 0 deletions linux-sysmonitor/security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Security Assessment

## Baseline Scan (linux-sysmonitor:v2)

- Critical: 2
- High: Multiple
- Medium: Multiple
- Low: Multiple

## Hardening Changes

- Pinned base image to `debian:12.11-slim`
- Used `--no-install-recommends`
- Removed apt package cache
- Created dedicated non-root user (`appuser`)
- Configured container to run as `appuser`
- Kept runtime image minimal using a multi-stage build

## Final Scan (linux-sysmonitor:v3)

- Critical: 2
- High: Multiple
- Medium: Multiple
- Low: Multiple

## Comparison

The vulnerability count remained unchanged because the remaining findings originate from Debian base packages and runtime dependencies. Several vulnerabilities are marked by Trivy as `will_not_fix`, `affected`, or `fix_deferred`, indicating that no upstream patched version was available at the time of scanning.

## Conclusion

Although the vulnerability count did not decrease, the image was hardened by following Docker security best practices, including pinning the base image, minimizing installed packages, and running the container as a dedicated non-root user.