modified: README.md

new file: golang.yml modified: nginx.yml new file: node.yml new file: postgres.yml new file: python.yml new file: redis.yml
2026-06-30 03:10:55 -07:00
parent 424d1b5718
commit 5367063499
7 changed files with 223 additions and 2 deletions
@@ -1,3 +1,5 @@
 # Hardened-Docker-Images
-Hardened Docker Images using dhi build provided by docker!
+Hardened Docker Images using dhi build provided by docker!
 You can find them on https://docker.chillcog.com
@@ -0,0 +1,38 @@
 # syntax=dhi.io/build:2-alpine3.23
 contents:
  builds:
    - name: compiler
      variant: dev
      packages:
        - go
 variant: runtime
 contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
  packages:
    - ca-certificates
 accounts:
  groups:
    - gid: 65532
      name: appuser
  users:
    - uid: 65532
      gid: 65532
      name: appuser
  run-as: appuser
 work-dir: /
 environment:
  PATH: /usr/local/bin:/usr/bin:/bin
 entrypoint:
  - /server
 annotations:
  org.opencontainers.image.title: "hardened-go-runtime"
  org.opencontainers.image.description: "Attack-surface-free execution environment for compiled Go binaries"
@@ -21,7 +21,6 @@ accounts:
 environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 # Custom directory assignments to handle permission drops safely
 paths:
  - path: /var/lib/nginx
    type: directory
@@ -0,0 +1,41 @@
 # syntax=dhi.io/build:2-alpine3.23
 contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
  packages:
    - nodejs
    - ca-certificates
 accounts:
  groups:
    - gid: 65532
      name: node
  users:
    - uid: 65532
      gid: 65532
      name: node
  run-as: node
 work-dir: /app
 paths:
  - path: /app
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0755
 environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  NODE_ENV: production
 # This assumes your application code is injected via multi-stage builds or an overlay
 entrypoint:
  - /usr/bin/node
  - index.js
 annotations:
  org.opencontainers.image.title: "hardened-nodejs"
  org.opencontainers.image.description: "Secure Node.js runtime image completely free of package managers"
@@ -0,0 +1,48 @@
 # syntax=dhi.io/build:2-alpine3.23
 contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
  packages:
    - postgresql16
    - postgresql16-client
    - ca-certificates
    - tzdata
 accounts:
  groups:
    - gid: 65532
      name: postgres
  users:
    - uid: 65532
      gid: 65532
      name: postgres
  run-as: postgres
 work-dir: /var/lib/postgresql
 paths:
  - path: /var/lib/postgresql
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0700
  - path: /var/run/postgresql
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0775
 environment:
  PATH: /usr/lib/postgresql16/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  PGDATA: /var/lib/postgresql/data
 entrypoint:
  - postgres
  - -D
  - /var/lib/postgresql/data
 annotations:
  org.opencontainers.image.title: "hardened-postgres"
  org.opencontainers.image.description: "Minimal PostgreSQL 16 image stripped of shell utilities"
@@ -0,0 +1,51 @@
 # syntax=dhi.io/build:2-alpine3.23
 contents:
  builds:
    - name: builder
      variant: dev
      packages:
        - python3
        - py3-pip
        - build-base
 variant: runtime
 contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
  packages:
    - python3
    - ca-certificates
 accounts:
  groups:
    - gid: 65532
      name: python
  users:
    - uid: 65532
      gid: 65532
      name: python
  run-as: python
 work-dir: /app
 paths:
  - path: /app
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0755
 environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  PYTHONUNBUFFERED: "1"
  PYTHONDONTWRITEBYTECODE: "1"
 entrypoint:
  - /usr/bin/python3
  - app.py
 annotations:
  org.opencontainers.image.title: "hardened-python"
  org.opencontainers.image.description: "Secure Python 3 application execution layer"
@@ -0,0 +1,42 @@
 # syntax=dhi.io/build:2-alpine3.23
 contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
  packages:
    - redis
    - ca-certificates
 accounts:
  groups:
    - gid: 65532
      name: redis
  users:
    - uid: 65532
      gid: 65532
      name: redis
  run-as: redis
 work-dir: /data
 paths:
  - path: /data
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0700
 environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 entrypoint:
  - /usr/bin/redis-server
  - --protected-mode
  - "no"
  - --dir
  - /data
 annotations:
  org.opencontainers.image.title: "hardened-redis"
  org.opencontainers.image.description: "Minimal Redis image stripped of critical shells to maximize defense-in-depth"