Skip to content

Use docker hardened images #414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
endersonmaia wants to merge 10 commits into
base: prerelease/v2-alpha
Choose a base branch
from
Draft

Use docker hardened images #414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f665654
chore(sdk): use PostgreSQL's Docker Hardened Image
endersonmaia Jan 15, 2026
8e79b49
chore(sdk): use Debian's Docker Hardened Image
endersonmaia Jan 15, 2026
206389d
ci(sdk): add trivy scan vuln final step
endersonmaia Feb 27, 2026
540f153
fixup! chore(sdk): use Debian's Docker Hardened Image
endersonmaia Mar 26, 2026
c8e12c0
fixup! ci(sdk): add trivy scan vuln final step
endersonmaia Mar 26, 2026
9a0a97a
fixup! fixup! ci(sdk): add trivy scan vuln final step
endersonmaia Mar 26, 2026
b731faa
fixup! ci(sdk): add trivy scan vuln final step
endersonmaia Mar 26, 2026
44ea401
fixup! ci(sdk): add trivy scan vuln final step
endersonmaia Mar 26, 2026
9c030d5
fixup! ci(sdk): add trivy scan vuln final step
endersonmaia Mar 26, 2026
8356ee1
fixup! ci(sdk): add trivy scan vuln final step
endersonmaia Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 50 additions & 3 deletions .github/workflows/sdk.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
meta:
runs-on: ubuntu-latest
strategy:
matrix:
matrix: &target-matrix
target:
- rollups-database
- rollups-runtime
Expand Down Expand Up @@ -50,7 +50,7 @@ jobs:
type=ref,event=pr

- name: Upload bake definition file
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: docker-metadata-${{ matrix.target }}
path: ${{ steps.meta.outputs.bake-file }}
Expand All @@ -63,7 +63,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Download all docker-metadata artifacts
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:
path: packages/sdk/

Expand All @@ -83,6 +83,13 @@ jobs:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to Docker Hardened Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: dhi.io
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push
uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6.9.0
if: ${{ !startsWith(github.ref, 'refs/tags/sdk@') }}
Expand All @@ -103,6 +110,7 @@ jobs:
*.cache-from=type=gha
*.cache-to=type=gha,mode=max
push: true
sbom: true

- uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
- name: Build and push (depot)
Expand All @@ -122,3 +130,42 @@ jobs:
./docker-metadata-rollups-runtime/docker-metadata-action-bake.json
./docker-metadata-rollups-database/docker-metadata-action-bake.json
push: true
sbom: true

scout:
runs-on: ubuntu-latest
needs:
- build
- meta
strategy:
fail-fast: false
matrix: *target-matrix
permissions:
contents: read
packages: read
name: docker-scout-${{ matrix.target }}
steps:
- name: Login to GitHub Container Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to DockerHub
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Docker Scout
id: docker-scout
if: ${{ github.event_name == 'pull_request' }}
uses: docker/scout-action@8910519cee8ac046f3ee99686b0dc6654d5ba1a7 # v1.20.3
with:
command: quickview,cves
image: ghcr.io/cartesi/${{ matrix.target }}:pr-${{ github.event.pull_request.number }}
ignore-base: true
ignore-unchanged: true
only-severities: critical,high
github-token: ${{ secrets.GITHUB_TOKEN }}
27 changes: 16 additions & 11 deletions packages/sdk/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
# syntax=docker.io/docker/dockerfile:1
ARG CARTESI_BASE_IMAGE
ARG POSTGRES_BASE_IMAGE
ARG POSTGRES_BASE_BUILD_IMAGE
ARG POSTGRES_BASE_RUNTIME_IMAGE
ARG NODE_VERSION

################################################################################
# base image
FROM ${CARTESI_BASE_IMAGE} AS base

Check warning on line 9 in packages/sdk/Dockerfile

View workflow job for this annotation

GitHub Actions / build

Default value for global ARG results in an empty or invalid base image name 

InvalidDefaultArgInFrom: Default value for ARG ${CARTESI_BASE_IMAGE} results in empty or invalid base image name
More info: https://docs.docker.com/go/dockerfile/rule/invalid-default-arg-in-from/
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
ARG DEBIAN_FRONTEND=noninteractive
RUN <<EOF
Expand Down Expand Up @@ -65,6 +66,7 @@
ARG FOUNDRY_VERSION
ARG TARGETARCH
ARG TARGETOS
WORKDIR /usr/local/bin
RUN <<EOF
mkdir -p /usr/local/bin
curl -fsSL https://github.com/foundry-rs/foundry/releases/download/v${FOUNDRY_VERSION}/foundry_v${FOUNDRY_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz \
Expand Down Expand Up @@ -102,6 +104,7 @@
ARG TINI_VERSION
ARG TARGETARCH
RUN <<EOF
mkdir -p /usr/local/bin
case "${TARGETARCH}" in
amd64)
curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
Expand All @@ -124,6 +127,7 @@
ARG TARGETARCH
WORKDIR /tmp
RUN <<EOF
mkdir -p /usr/local/bin
curl -fsSL https://dl.influxdata.com/telegraf/releases/telegraf-${TELEGRAF_VERSION}_linux_${TARGETARCH}.tar.gz \
-o ./telegraf.tar.gz;
case "${TARGETARCH}" in
Expand All @@ -149,11 +153,8 @@
apt-get install -y --no-install-recommends \
libslirp0 \
lua5.4
rm -rf /var/lib/apt/lists/*
EOF

RUN <<EOF
set -e
# create cartesi user
useradd \
--comment "cartesi user" \
--no-create-home \
Expand All @@ -163,6 +164,8 @@
--uid 102 \
--user-group \
cartesi

rm -rf /var/lib/apt/lists/*
EOF

# Install cartesi-machine emulator
Expand Down Expand Up @@ -212,7 +215,7 @@

################################################################################
# postgresql initdb
FROM ${POSTGRES_BASE_IMAGE} AS postgresql-initdb
FROM ${POSTGRES_BASE_BUILD_IMAGE} AS postgresql-initdb

Check warning on line 218 in packages/sdk/Dockerfile

View workflow job for this annotation

GitHub Actions / build

Default value for global ARG results in an empty or invalid base image name 

InvalidDefaultArgInFrom: Default value for ARG ${POSTGRES_BASE_BUILD_IMAGE} results in empty or invalid base image name
More info: https://docs.docker.com/go/dockerfile/rule/invalid-default-arg-in-from/

ARG DEBIAN_FRONTEND=noninteractive
RUN <<EOF
Expand All @@ -225,7 +228,7 @@
COPY --from=rollups-runtime /usr/bin/cartesi-rollups-cli /usr/bin/
COPY --from=rollups-runtime /usr/lib/libcartesi* /usr/lib/

ARG POSTGRES_PASSWORD=password

Check warning on line 231 in packages/sdk/Dockerfile

View workflow job for this annotation

GitHub Actions / build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "POSTGRES_PASSWORD")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

# create rollupsdb databases
COPY <<EOF /docker-entrypoint-initdb.d/00-createdb.sql
Expand All @@ -245,12 +248,16 @@

################################################################################
# rollups-database image
FROM ${POSTGRES_BASE_IMAGE} AS rollups-database
COPY --from=postgresql-initdb /var/lib/postgresql/data /var/lib/postgresql/data
FROM ${POSTGRES_BASE_RUNTIME_IMAGE} AS rollups-database

Check warning on line 251 in packages/sdk/Dockerfile

View workflow job for this annotation

GitHub Actions / build

Default value for global ARG results in an empty or invalid base image name 

InvalidDefaultArgInFrom: Default value for ARG ${POSTGRES_BASE_RUNTIME_IMAGE} results in empty or invalid base image name
More info: https://docs.docker.com/go/dockerfile/rule/invalid-default-arg-in-from/
ARG POSTGRES_MAJOR_VERSION
COPY --from=postgresql-initdb \
--chown=postgres:postgres \
--chmod=750 \
/var/lib/postgresql/data /var/lib/postgresql/${POSTGRES_MAJOR_VERSION}/data

################################################################################
# alto build
FROM node:${NODE_VERSION} AS alto

Check warning on line 260 in packages/sdk/Dockerfile

View workflow job for this annotation

GitHub Actions / build

Default value for global ARG results in an empty or invalid base image name 

InvalidDefaultArgInFrom: Default value for ARG node:${NODE_VERSION} results in empty or invalid base image name
More info: https://docs.docker.com/go/dockerfile/rule/invalid-default-arg-in-from/
ARG ALTO_VERSION
ARG NODE_VERSION
ARG TARGETARCH
Expand Down Expand Up @@ -318,9 +325,7 @@
liblzo2-2 \
libslirp0 \
locales \
lua5.4 \
xxd \
xz-utils
xxd
rm -rf /var/lib/apt/lists/*
EOF

Expand Down
6 changes: 4 additions & 2 deletions packages/sdk/docker-bake.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ target "default" {
args = {
ALTO_VERSION = "1.2.7"
ALTO_PACKAGE_VERSION = "0.0.20"
CARTESI_BASE_IMAGE = "docker.io/library/debian:bookworm-20260223-slim@sha256:74d56e3931e0d5a1dd51f8c8a2466d21de84a271cd3b5a733b803aa91abf4421"
CARTESI_BASE_IMAGE = "dhi.io/debian-base:bookworm-dev@sha256:b39f7bdc82227f2bdf985dc53e6a051047f0f07c346b58966c09b8d3fe557224"
CARTESI_DEVNET_VERSION = "2.0.0-alpha.11"
CARTESI_IMAGE_KERNEL_VERSION = "0.20.0"
CARTESI_LINUX_KERNEL_VERSION = "6.5.13-ctsi-1-v0.20.0"
Expand All @@ -20,7 +20,9 @@ target "default" {
NITRO_VERSION = "8c376d4a5baa7f32999620f9fe3eb51ca8e0dcbc" # v0.5
NODE_VERSION = "24.14.0"
NVM_VERSION = "977563e97ddc66facf3a8e31c6cff01d236f09bd" # 0.40.3
POSTGRES_BASE_IMAGE = "docker.io/library/postgres:17-bookworm@sha256:ed736a0232f124704e442614fa13a042c4471b76af79dc74ddcf72023e351ed2"
POSTGRES_MAJOR_VERSION = "17"
POSTGRES_BASE_BUILD_IMAGE = "docker.io/library/postgres:17-bookworm@sha256:c141933f34b7fd6819478e1fa2106c262999c0af1e2cdbf0b4727b53fb194a77"
POSTGRES_BASE_RUNTIME_IMAGE = "dhi.io/postgres:17-debian12@sha256:2e24c142f136f29d8c08d0f3a973462302425bd1b52e337908df4f9a0895bf55"
SQUASHFS_TOOLS_VERSION = "bad1d213ab6df587d6fa0ef7286180fbf7b86167" # 4.7.4
SU_EXEC_VERSION = "0.3"
TELEGRAF_VERSION = "1.38.0"
Expand Down
3 changes: 2 additions & 1 deletion packages/sdk/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"private": true,
"version": "0.12.0-alpha.37",
"scripts": {
"build": "docker buildx bake --load --metadata-file=build.json"
"build": "docker buildx bake --load --metadata-file=build.json",
"digest-update": "../../.github/scripts/update-image-digests.sh ./docker-bake.hcl"
}
}
Loading