Skip to content

Use docker hardened images #414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
endersonmaia wants to merge 3 commits into
base: prerelease/v2-alpha
Choose a base branch
from
Open

Use docker hardened images #414

endersonmaia wants to merge 3 commits into from

Conversation

@endersonmaia
Copy link
Contributor

@endersonmaia endersonmaia commented Jan 15, 2026
edited
Loading

This pull request updates the SDK's Docker build process and related configuration to improve image security and flexibility. The main changes include switching to hardened base images from a private registry, splitting PostgreSQL images into build and runtime variants, and refining the Dockerfile to streamline dependencies and user creation.

Container base image and registry updates:

  • Switched the default Debian base image from Docker Hub to a hardened image hosted on dhi.io for improved security (packages/sdk/docker-bake.hcl).
  • Added a new GitHub Actions workflow step to log in to the Docker Hardened Registry (dhi.io) before building images (.github/workflows/sdk.yaml).

PostgreSQL image improvements:

  • Split the PostgreSQL base image into separate build and runtime images, using the official image for building and a hardened runtime image from dhi.io for production, with configurable major version support (packages/sdk/docker-bake.hcl, packages/sdk/Dockerfile). [1] [2] [3]
  • Updated the data directory copy step to set correct ownership and permissions, and to use the major version in the path, aligning with best practices for PostgreSQL containers (packages/sdk/Dockerfile).

Dockerfile dependency and user management:

  • Refined the Dockerfile to install only necessary packages for user creation (passwd), then remove them immediately after use to reduce image size and attack surface (packages/sdk/Dockerfile). [1] [2]
  • Cleaned up unnecessary packages in the final image, removing lua5.4 and xz-utils from the runtime dependencies (packages/sdk/Dockerfile).

Build process enhancements:

  • Ensured the /usr/local/bin directory exists before extracting binaries, improving reliability during the build (packages/sdk/Dockerfile).
  • Changed the way the forge binary is included, copying it from a prior build stage instead of downloading it again, which improves build caching and consistency (packages/sdk/Dockerfile).

@endersonmaia endersonmaia self-assigned this Jan 15, 2026
@endersonmaia endersonmaia requested a review from tuler January 15, 2026 18:44
@changeset-bot
Copy link

changeset-bot bot commented Jan 15, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 99990bf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@endersonmaia endersonmaia force-pushed the feature/use-docker-hardened-images branch from 39b5456 to 9b30309 Compare January 15, 2026 19:13
@endersonmaia
chore(sdk): use PostgreSQL's Docker Hardened Image
8ab4c99 
Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE    : Total: 139  (UNKNOWN: 4, LOW: 99, MEDIUM: 31, HIGH: 5, CRITICAL: 0)
AFTER     : Total: 78   (UNKNOWN: 5, LOW: 69, MEDIUM:  3, HIGH: 1, CRITICAL: 0)
@endersonmaia
chore(sdk): use Debian's Docker Hardened Image
7f08688 
Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE: Total: 97 (UNKNOWN: 2, LOW: 82, MEDIUM: 13, HIGH: 0, CRITICAL: 0)
AFTER : Total: 88 (UNKNOWN: 2, LOW: 76, MEDIUM: 10, HIGH: 0, CRITICAL: 0)
@endersonmaia
refactor(sdk): reuse previous foundry download
99990bf
@endersonmaia endersonmaia force-pushed the feature/use-docker-hardened-images branch from c7d4928 to 99990bf Compare January 15, 2026 20:15
@endersonmaia endersonmaia marked this pull request as ready for review January 15, 2026 20:17
@endersonmaia endersonmaia changed the title feature/use docker hardened images Use docker hardened images Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuler tuler Awaiting requested review from tuler

Assignees

@endersonmaia endersonmaia

Labels

sdk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@endersonmaia