Skip to content

Update Readme.md #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 19, 2025
Merged

Update Readme.md #9

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b5dec98
Update Readme.md
kalvinparker Oct 19, 2025
eae757a
Merge branch 'master' into main
kalvinparker Oct 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 21 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,36 @@
# secure-gemini

This repository contains a minimal, security-conscious Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate.
This repository contains a minimal, security-harneded Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate.

The entire configuration is designed with a "security-as-code" philosophy, ensuring a reliable and verifiable process for building and maintaining a secure tool.

---

## Security Features

This project isn't just a `Dockerfile`; it's a complete, secure software lifecycle.

- ✅ **Hardened Base Image:** Built on `node:22-alpine` and patches OS packages (`apk upgrade`) during the build to mitigate known vulnerabilities.
- ✅ **Supply Chain Scanned:** Runs `npm audit` as a mandatory, blocking security gate during the Docker build.
- ✅ **Least Privilege:** Creates and runs as a dedicated, unprivileged `appuser` instead of `root`.
- ✅ **Continuous Vulnerability Scanning:** A GitHub Actions workflow (`pr-scan.yml`) automatically scans every pull request with Trivy to prevent new vulnerabilities from being merged.
- ✅ **Automated Dependency Management:** Dependabot is configured to automatically create pull requests for updates to the base image, `npm` packages, and the CI/CD actions themselves.
- ✅ **Formal Security Policies:** Includes a `SECURITY.md` file with a clear policy for vulnerability reporting.

## What is included

- `Dockerfile` — audited build that performs `apk` upgrades, updates `npm`, creates a non-root user, installs dependencies from `package.json`, runs `npm audit`, and sets the `ENTRYPOINT` to `npx gemini`.
- `package.json` — minimal file with a dependency on `@google/gemini-cli`.
- `.github/workflows/build-scan.yml` — GitHub Actions workflow that builds the Docker image and scans it with Trivy on push to `main`.
- **`.github/workflows/`**: Contains two authoritative workflows:
- **`pr-scan.yml`**: Builds and scans every pull request.
- **`release.yml`**: Securely publishes a new versioned image to a container registry upon the creation of a GitHub Release.
- **`.github/dependabot.yml`**: Configuration for automated dependency updates.
- **`SECURITY.md`**: The official security policy for the project.
```

- The Dockerfile runs `npm audit` during build. In CI you may want to tune the audit policy or run more advanced supply-chain scanning.
- The image runs as a non-root user. Confirm that any filesystem paths and environment variables used by `gemini` are writable by `appuser`.
```markdown

## Image summary (from last local scan)

- Image: `secure-gemini-cli:latest`
Expand Down