security: Harden Docker image and CI pipeline (OWASP Docker Security compliance) (#1060)

Increase docker security

Author: BenjaminMichaelis

.github/workflows/Build-Test-And-Deploy.yml

@@ -63,6 +63,28 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
+      - name: Generate NuGet auth config for Docker build
+        if: github.event_name != 'pull_request' && github.event_name != 'merge_group'
+        env:
+          NUGET_AUTH_TOKEN: ${{ secrets.AZURE_DEVOPS_PAT }}
+        run: |
+          cat > /tmp/nuget-auth.config << EOF
+          <?xml version="1.0" encoding="utf-8"?>
+          <configuration>
+            <packageSources>
+              <clear />
+              <add key="nuget" value="https://api.nuget.org/v3/index.json" />
+              <add key="EssentialCSharp" value="https://pkgs.dev.azure.com/intelliTect/_packaging/EssentialCSharp/nuget/v3/index.json" />
+            </packageSources>
+            <packageSourceCredentials>
+              <EssentialCSharp>
+                <add key="Username" value="docker" />
+                <add key="ClearTextPassword" value="${NUGET_AUTH_TOKEN}" />
+              </EssentialCSharp>
+            </packageSourceCredentials>
+          </configuration>
+          EOF
+
 # Build but no push with a PR
       - name: Docker build (no push)
         if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
@@ -71,6 +93,8 @@ jobs:
           push: false
           tags: temp-pr-validation
           file: ./EssentialCSharp.Web/Dockerfile
+          context: .
+          build-args: ACCESS_TO_NUGET_FEED=false
 
       - name: Build Container Image
         if: github.event_name != 'pull_request_target' && github.event_name != 'pull_request'
@@ -80,7 +104,7 @@ jobs:
           file: ./EssentialCSharp.Web/Dockerfile
           context: .
           secrets: |
-            "nuget_auth_token=${{ secrets.AZURE_DEVOPS_PAT }}"
+            "id=nugetconfig,src=/tmp/nuget-auth.config"
           outputs: type=docker,dest=${{ github.workspace }}/essentialcsharpwebimage.tar
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@ -90,6 +114,10 @@ jobs:
           name: essentialcsharpwebimage
           path: ${{ github.workspace }}/essentialcsharpwebimage.tar
 
+      - name: Clean up NuGet auth config
+        if: always()
+        run: rm -f /tmp/nuget-auth.config
+
   deploy-development:
     if: github.event_name != 'pull_request_target' && github.event_name != 'pull_request'
     runs-on: ubuntu-latest

EssentialCSharp.Web/Dockerfile

@@ -1,11 +1,11 @@
 #syntax=docker/dockerfile:1.2
 
-FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS base
+FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble-chiseled AS base
 WORKDIR /app
 EXPOSE 8080
 EXPOSE 8081
 
-FROM node:25-bookworm-slim AS frontend-build
+FROM node:24-bookworm-slim AS frontend-build
 WORKDIR /frontend/EssentialCSharp.Web
 COPY EssentialCSharp.Web/package.json EssentialCSharp.Web/package-lock.json ./
 RUN npm ci
@@ -15,20 +15,20 @@ RUN npm run build
 FROM mcr.microsoft.com/dotnet/sdk:10.0.203 AS build
 ARG ACCESS_TO_NUGET_FEED=true
 ENV ACCESS_TO_NUGET_FEED=$ACCESS_TO_NUGET_FEED
-RUN sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"
 WORKDIR /src
 COPY . .
 COPY --from=frontend-build /frontend/EssentialCSharp.Web/wwwroot/dist ./EssentialCSharp.Web/wwwroot/dist
-RUN --mount=type=secret,id=nuget_auth_token \
-    if [ "$ACCESS_TO_NUGET_FEED" = "true" ]; then \
-      auth_token=$(cat /run/secrets/nuget_auth_token) && \
-      export VSS_NUGET_EXTERNAL_FEED_ENDPOINTS="{\"endpointCredentials\": [{\"endpoint\":\"https://pkgs.dev.azure.com/intelliTect/_packaging/EssentialCSharp/nuget/v3/index.json\", \"password\":\"$auth_token\"}]}"; \
+RUN --mount=type=secret,id=nugetconfig \
+    if [ "$ACCESS_TO_NUGET_FEED" = "true" ] && [ -f /run/secrets/nugetconfig ]; then \
+      dotnet restore "EssentialCSharp.Web.slnx" --configfile /run/secrets/nugetconfig -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED; \
+    else \
+      dotnet restore "EssentialCSharp.Web.slnx" -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED; \
     fi && \
-    dotnet restore "EssentialCSharp.Web.slnx" -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED && \
     dotnet build "EssentialCSharp.Web.slnx" -c Release --no-restore -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED -p:ReleaseDateAttribute=True -p:SkipFrontendBuild=true && \
     dotnet publish "EssentialCSharp.Web.slnx" -c Release -p:PublishDir=/app/publish -p:UseAppHost=false -p:SkipFrontendBuild=true --no-build
 
 FROM base AS final
 WORKDIR /app
 COPY --from=build /app/publish .
+USER app
 ENTRYPOINT ["dotnet", "EssentialCSharp.Web.dll"]