modified: README.md

new file:   golang.yml
	modified:   nginx.yml
        new file:   node.yml
	new file:   postgres.yml
	new file:   python.yml
	new file:   redis.yml

README.md

@@ -1,3 +1,5 @@
 # Hardened-Docker-Images
 
-Hardened Docker Images using dhi build provided by docker!
+Hardened Docker Images using dhi build provided by docker!
+
+You can find them on https://docker.chillcog.com

golang.yml

@@ -0,0 +1,38 @@
+# syntax=dhi.io/build:2-alpine3.23
+
+contents:
+  builds:
+    - name: compiler
+      variant: dev
+      packages:
+        - go
+
+variant: runtime
+
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
+  packages:
+    - ca-certificates
+
+accounts:
+  groups:
+    - gid: 65532
+      name: appuser
+  users:
+    - uid: 65532
+      gid: 65532
+      name: appuser
+  run-as: appuser
+
+work-dir: /
+
+environment:
+  PATH: /usr/local/bin:/usr/bin:/bin
+
+entrypoint:
+  - /server
+
+annotations:
+  org.opencontainers.image.title: "hardened-go-runtime"
+  org.opencontainers.image.description: "Attack-surface-free execution environment for compiled Go binaries"

nginx.yml

@@ -21,7 +21,6 @@ accounts:
 environment:
   PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
-# Custom directory assignments to handle permission drops safely
 paths:
   - path: /var/lib/nginx
     type: directory

node.yml

@@ -0,0 +1,41 @@
+# syntax=dhi.io/build:2-alpine3.23
+
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
+  packages:
+    - nodejs
+    - ca-certificates
+
+accounts:
+  groups:
+    - gid: 65532
+      name: node
+  users:
+    - uid: 65532
+      gid: 65532
+      name: node
+  run-as: node
+
+work-dir: /app
+
+paths:
+  - path: /app
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0755
+
+environment:
+  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  NODE_ENV: production
+
+# This assumes your application code is injected via multi-stage builds or an overlay
+entrypoint:
+  - /usr/bin/node
+  - index.js
+
+annotations:
+  org.opencontainers.image.title: "hardened-nodejs"
+  org.opencontainers.image.description: "Secure Node.js runtime image completely free of package managers"

postgres.yml

@@ -0,0 +1,48 @@
+# syntax=dhi.io/build:2-alpine3.23
+
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
+  packages:
+    - postgresql16
+    - postgresql16-client
+    - ca-certificates
+    - tzdata
+
+accounts:
+  groups:
+    - gid: 65532
+      name: postgres
+  users:
+    - uid: 65532
+      gid: 65532
+      name: postgres
+  run-as: postgres
+
+work-dir: /var/lib/postgresql
+
+paths:
+  - path: /var/lib/postgresql
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0700
+  - path: /var/run/postgresql
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0775
+
+environment:
+  PATH: /usr/lib/postgresql16/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  PGDATA: /var/lib/postgresql/data
+
+entrypoint:
+  - postgres
+  - -D
+  - /var/lib/postgresql/data
+
+annotations:
+  org.opencontainers.image.title: "hardened-postgres"
+  org.opencontainers.image.description: "Minimal PostgreSQL 16 image stripped of shell utilities"

python.yml

@@ -0,0 +1,51 @@
+# syntax=dhi.io/build:2-alpine3.23
+
+contents:
+  builds:
+    - name: builder
+      variant: dev
+      packages:
+        - python3
+        - py3-pip
+        - build-base
+
+variant: runtime
+
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
+  packages:
+    - python3
+    - ca-certificates
+
+accounts:
+  groups:
+    - gid: 65532
+      name: python
+  users:
+    - uid: 65532
+      gid: 65532
+      name: python
+  run-as: python
+
+work-dir: /app
+
+paths:
+  - path: /app
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0755
+
+environment:
+  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  PYTHONUNBUFFERED: "1"
+  PYTHONDONTWRITEBYTECODE: "1"
+
+entrypoint:
+  - /usr/bin/python3
+  - app.py
+
+annotations:
+  org.opencontainers.image.title: "hardened-python"
+  org.opencontainers.image.description: "Secure Python 3 application execution layer"

redis.yml

@@ -0,0 +1,42 @@
+# syntax=dhi.io/build:2-alpine3.23
+
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
+  packages:
+    - redis
+    - ca-certificates
+
+accounts:
+  groups:
+    - gid: 65532
+      name: redis
+  users:
+    - uid: 65532
+      gid: 65532
+      name: redis
+  run-as: redis
+
+work-dir: /data
+
+paths:
+  - path: /data
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0700
+
+environment:
+  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+entrypoint:
+  - /usr/bin/redis-server
+  - --protected-mode
+  - "no"
+  - --dir
+  - /data
+
+annotations:
+  org.opencontainers.image.title: "hardened-redis"
+  org.opencontainers.image.description: "Minimal Redis image stripped of critical shells to maximize defense-in-depth"