diff --git a/README.md b/README.md index 23deb0c..b738462 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ # Hardened-Docker-Images -Hardened Docker Images using dhi build provided by docker! \ No newline at end of file +Hardened Docker Images using dhi build provided by docker! + +You can find them on https://docker.chillcog.com diff --git a/golang.yml b/golang.yml new file mode 100644 index 0000000..2c0cc76 --- /dev/null +++ b/golang.yml @@ -0,0 +1,38 @@ +# syntax=dhi.io/build:2-alpine3.23 + +contents: + builds: + - name: compiler + variant: dev + packages: + - go + +variant: runtime + +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/v3.23/main + packages: + - ca-certificates + +accounts: + groups: + - gid: 65532 + name: appuser + users: + - uid: 65532 + gid: 65532 + name: appuser + run-as: appuser + +work-dir: / + +environment: + PATH: /usr/local/bin:/usr/bin:/bin + +entrypoint: + - /server + +annotations: + org.opencontainers.image.title: "hardened-go-runtime" + org.opencontainers.image.description: "Attack-surface-free execution environment for compiled Go binaries" \ No newline at end of file diff --git a/nginx.yml b/nginx.yml index a9493d9..fa7b7ff 100644 --- a/nginx.yml +++ b/nginx.yml @@ -21,7 +21,6 @@ accounts: environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -# Custom directory assignments to handle permission drops safely paths: - path: /var/lib/nginx type: directory diff --git a/node.yml b/node.yml new file mode 100644 index 0000000..25a2400 --- /dev/null +++ b/node.yml @@ -0,0 +1,41 @@ +# syntax=dhi.io/build:2-alpine3.23 + +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/v3.23/main + - https://dl-cdn.alpinelinux.org/alpine/v3.23/community + packages: + - nodejs + - ca-certificates + +accounts: + groups: + - gid: 65532 + name: node + users: + - uid: 65532 + gid: 65532 + name: node + run-as: node + +work-dir: /app + +paths: + - path: /app + type: directory + uid: 65532 + gid: 65532 + permissions: 0755 + +environment: + PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + NODE_ENV: production + +# This assumes your application code is injected via multi-stage builds or an overlay +entrypoint: + - /usr/bin/node + - index.js + +annotations: + org.opencontainers.image.title: "hardened-nodejs" + org.opencontainers.image.description: "Secure Node.js runtime image completely free of package managers" \ No newline at end of file diff --git a/postgres.yml b/postgres.yml new file mode 100644 index 0000000..321c3bf --- /dev/null +++ b/postgres.yml @@ -0,0 +1,48 @@ +# syntax=dhi.io/build:2-alpine3.23 + +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/v3.23/main + - https://dl-cdn.alpinelinux.org/alpine/v3.23/community + packages: + - postgresql16 + - postgresql16-client + - ca-certificates + - tzdata + +accounts: + groups: + - gid: 65532 + name: postgres + users: + - uid: 65532 + gid: 65532 + name: postgres + run-as: postgres + +work-dir: /var/lib/postgresql + +paths: + - path: /var/lib/postgresql + type: directory + uid: 65532 + gid: 65532 + permissions: 0700 + - path: /var/run/postgresql + type: directory + uid: 65532 + gid: 65532 + permissions: 0775 + +environment: + PATH: /usr/lib/postgresql16/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + PGDATA: /var/lib/postgresql/data + +entrypoint: + - postgres + - -D + - /var/lib/postgresql/data + +annotations: + org.opencontainers.image.title: "hardened-postgres" + org.opencontainers.image.description: "Minimal PostgreSQL 16 image stripped of shell utilities" \ No newline at end of file diff --git a/python.yml b/python.yml new file mode 100644 index 0000000..f379914 --- /dev/null +++ b/python.yml @@ -0,0 +1,51 @@ +# syntax=dhi.io/build:2-alpine3.23 + +contents: + builds: + - name: builder + variant: dev + packages: + - python3 + - py3-pip + - build-base + +variant: runtime + +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/v3.23/main + packages: + - python3 + - ca-certificates + +accounts: + groups: + - gid: 65532 + name: python + users: + - uid: 65532 + gid: 65532 + name: python + run-as: python + +work-dir: /app + +paths: + - path: /app + type: directory + uid: 65532 + gid: 65532 + permissions: 0755 + +environment: + PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + PYTHONUNBUFFERED: "1" + PYTHONDONTWRITEBYTECODE: "1" + +entrypoint: + - /usr/bin/python3 + - app.py + +annotations: + org.opencontainers.image.title: "hardened-python" + org.opencontainers.image.description: "Secure Python 3 application execution layer" \ No newline at end of file diff --git a/redis.yml b/redis.yml new file mode 100644 index 0000000..0aa2f4d --- /dev/null +++ b/redis.yml @@ -0,0 +1,42 @@ +# syntax=dhi.io/build:2-alpine3.23 + +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/v3.23/main + - https://dl-cdn.alpinelinux.org/alpine/v3.23/community + packages: + - redis + - ca-certificates + +accounts: + groups: + - gid: 65532 + name: redis + users: + - uid: 65532 + gid: 65532 + name: redis + run-as: redis + +work-dir: /data + +paths: + - path: /data + type: directory + uid: 65532 + gid: 65532 + permissions: 0700 + +environment: + PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +entrypoint: + - /usr/bin/redis-server + - --protected-mode + - "no" + - --dir + - /data + +annotations: + org.opencontainers.image.title: "hardened-redis" + org.opencontainers.image.description: "Minimal Redis image stripped of critical shells to maximize defense-in-depth" \ No newline at end of file