Skip to content

Commit 87d2f1c

Browse files
authored
Merge pull request #8 from GannaChernyshova/issue-6
changed node 24.9.0 to 24
2 parents 5a16b52 + fbe7eb7 commit 87d2f1c

4 files changed

Lines changed: 39 additions & 41 deletions

File tree

.labspace/03-image-scanning.md

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ The app logic is implemented in the :fileLink[app.js]{path="app.js"} file.
1010

1111
To follow modern best practices, we want to containerize the app and eventually deploy it to production. Before doing so, we must ensure the image is secure by using [Docker Scout](https://www.docker.com/products/docker-scout/)
1212

13-
Our Dockerfile takes a multi-stage build approach and is based on the `node:24.9.0-trixie-slim` image.
13+
Our Dockerfile takes a multi-stage build approach and is based on the `node:24-trixie-slim` image.
1414

1515
**Let’s build our image with SBOM and provenance metadata**
1616
This lab already has a :fileLink[Dockerfile]{path="Dockerfile"}, so you can easily build the image.
@@ -30,14 +30,11 @@ docker scout quickview $$orgname$$/demo-node-doi:v1
3030
```
3131
You will see similar output:
3232
```plaintext no-copy-button
33-
i Base image was auto-detected. To get more accurate results, build images with max-mode provenance attestations.
34-
Review docs.docker.com ↗ for more information.
33+
Target │ orgname/demo-node-doi:v1 │ 0C 2H 2M 20L
34+
digest │ 771a1b07daa3 │
35+
Base image │ node:24-trixie-slim │ 0C 1H 2M 20L
3536
36-
Target │ demonstrationorg/demo-node-doi:v1 │ 0C 2H 1M 18L
37-
digest │ 66cb8da420d8 │
38-
Base image │ node:24-trixie-slim │ 0C 2H 1M 18L
39-
40-
Policy status FAILED (5/10 policies met, 1 missing data)
37+
Policy status FAILED (6/10 policies met)
4138
4239
Status │ Policy │ Results
4340
─────────┼──────────────────────────────────────────────────────────────────┼──────────────────────────────
@@ -48,11 +45,10 @@ Policy status FAILED (5/10 policies met, 1 missing data)
4845
✓ │ No embedded secrets (Rego) │ 0 deviations
4946
! │ Fixable critical or high vulnerabilities found │ 0C 2H 0M 0L
5047
✓ │ No high-profile vulnerabilities │ 0C 0H 0M 0L
51-
! │ No unapproved base images │ No data
52-
✓ │ Missing supply chain attestation(s) │ 2 deviations
53-
48+
! │ Unapproved base images found │ 1 deviation
49+
✓ │ Supply chain attestations │ 0 deviations
5450
```
55-
As you can see, there are no CVEs at the application level, but the base image contains 2 high, 1 medium, and 18 low severity CVEs, so it is recommended to be updated. Additionally, the critical policies have failed:
51+
As you can see, there are no CVEs at the application level, but the base image contains a number of high, medium, and low severity CVEs, so it is recommended to be updated. Additionally, the critical policies have failed:
5652

5753
1. No default non-root user found
5854
2. Fixable critical or high vulnerabilities found

.labspace/04-switch-to-dhi.md

Lines changed: 23 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
11
# Making the Switch to Docker Hardened Images
22

3-
Switching to a Docker Hardened Image is straightforward. All we need to do is replace the base image `node:24.9.0-trixie-slim` with a DHI equivalent.
3+
Switching to a Docker Hardened Image is straightforward. All we need to do is replace the base image `node:24-trixie-slim` with a DHI equivalent.
44

55
Docker Hardened Images come in two variants:
66

7-
* Dev variant (`$$orgname$$/dhi-node:24.9.0-debian13-dev`) – includes a shell and package managers, making it suitable for building and testing.
8-
* Runtime variant (`$$orgname$$/dhi-node:24.9.0-debian13`) – stripped down to only the essentials, providing a minimal and secure footprint for production.
7+
* Dev variant (`$$orgname$$/dhi-node:24-debian13-dev`) – includes a shell and package managers, making it suitable for building and testing.
8+
* Runtime variant (`$$orgname$$/dhi-node:24-debian13`) – stripped down to only the essentials, providing a minimal and secure footprint for production.
99

1010
This makes them perfect for use in multi-stage Dockerfiles. We can build the app in the dev image, then copy the built application into the runtime image, which will serve as the base for production.
1111

12-
1. Update the `Dockerfile` to use the `$$orgname$$/dhi-node:24.9.0-debian13-dev` as a `dev` stage image and `$$orgname$$/dhi-node:24.9.0-debian13` as a `runtime` image
12+
1. Update the `Dockerfile` to use the `$$orgname$$/dhi-node:24-debian13-dev` as a `dev` stage image and `$$orgname$$/dhi-node:24-debian13` as a `runtime` image
1313
```dockerfile
14-
FROM $$orgname$$/dhi-node:24.9.0-debian13-dev AS dev
14+
FROM $$orgname$$/dhi-node:24-debian13-dev AS dev
1515
```
1616
```dockerfile
17-
FROM $$orgname$$/dhi-node:24.9.0-debian13 AS prod
17+
FROM $$orgname$$/dhi-node:24-debian13 AS prod
1818
```
1919
2. Looking back at the output for the `scout quickview`, the `No default non-root user found` policy was not met. To resolve this we typically need to add a non-root user to the Dockerfile description. The good news is that the DHI comes with a nonroot user built-in, so no changes should be made.
2020

@@ -27,9 +27,9 @@ docker scout quickview $$orgname$$/demo-node-dhi:v1
2727
```
2828
You will see similar output:
2929
```plaintext no-copy-button
30-
Target │ $$orgname$$/demo-node-dhi:v1 │ 0C 0H 0M 0L
31-
digest │ cec31e6f0a36
32-
Base image │ $$orgname$$/dhi-node:24.9.0-debian13 │
30+
Target │ orgname/demo-node-dhi:v1 │ 0C 0H 0M 0L
31+
digest │ cec31e6f0a36 │
32+
Base image │ orgname/dhi-node:24-debian13
3333
3434
Policy status SUCCESS (9/9 policies met)
3535
@@ -49,34 +49,36 @@ Hooray! There are zero CVEs and policy violations now!
4949

5050
**Let’s look at the image size and package count advantages of using distroless Hardened Images.**
5151

52-
Docker Scout offers a helpful command `docker scout compare` that allows you to analyze and compare two images. We’ll use it to evaluate the difference in size and package footprint between `node:24.9.0-trixie-slim` and `dhi-node:24.9.0-debian13` based images.
52+
Docker Scout offers a helpful command `docker scout compare` that allows you to analyze and compare two images. We’ll use it to evaluate the difference in size and package footprint between `node:24-trixie-slim` and `dhi-node:24-debian13` based images.
5353
```bash
5454
docker scout compare local://$$orgname$$/demo-node-dhi:v1 --to local://$$orgname$$/demo-node-doi:v1
5555
```
56-
You will see a similar summary in the output:
56+
Scroll up the output and you will see a similar summary:
5757
```plaintext no-copy-button
5858
## Overview
5959
6060
│ Analyzed Image │ Comparison Image
6161
────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────
62-
Target │ local://demonstrationorg/demo-node-dhi:v1 │ local://demonstrationorg/demo-node-doi:v1
62+
Target │ local://orgname/demo-node-dhi:v1 │ local://orgname/demo-node-doi:v1
6363
digest │ e5b9ec7a980c │ 66cb8da420d8
6464
tag │ v1 │ v1
6565
platform │ linux/arm64 │ linux/arm64
66-
vulnerabilities │ 0C 0H 0M 8L │ 0C 2H 1M 18L
67-
│ -2 -1 -10
68-
size │ 59 MB (-41 MB) │ 100 MB
69-
packages │ 648 (-248) │ 896
66+
vulnerabilities │ 0C 0H 0M 8L │ 0C 2H 2M 20L
67+
│ -2 -2 -20
68+
size │ 59 MB (-40 MB) │ 97 MB
69+
packages │ 648 (-214) │ 858
7070
│ │
71-
Base image │ demonstrationorg/dhi-node-smontri:24 │ node:24-trixie-slim
71+
Base image │ orgname/dhi-node:24 │ node:24-trixie-slim
7272
tags │ also known as │ also known as
73-
│ │ • current-trixie-slim
74-
│ │ • trixie-slim
75-
vulnerabilities │ 0C 0H 0M 0L │ 0C 2H 1M 18L
73+
│ │ • 24.11-trixie-slim
74+
│ │ • 24.11.1-trixie-slim
75+
| | • krypton-trixie-slim
76+
| | • lts-trixie-slim
77+
vulnerabilities │ 0C 0H 0M 0L │ 0C 1H 2M 20L
7678
7779
```
7880

79-
As you can see, the `dhi-node:24.9.0-debian13`–based image is **41 MB (around 40%) smaller**, contains **248 fewer packages**, and has nearly **zero CVEs** compared to the original `node:24.9.0-trixie-slim`–based image.
81+
As you can see, the `dhi-node:24-debian13`–based image is **40 MB (around 40%) smaller**, contains **214 fewer packages**, and has nearly **zero CVEs** compared to the original `node:24-trixie-slim`–based image.
8082

8183
**Validate that the app works as expected**
8284

.labspace/05-compliance.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,9 @@
44

55
In addition to providing a minimal and secure base image, Docker Hardened Images include a comprehensive set of attestations.
66

7-
You can run the following command to see the full list of attestations for `dhi-node:24.9.0-debian13`:
7+
You can run the following command to see the full list of attestations for `dhi-node:24-debian13`:
88
```bash
9-
docker scout attest list $$orgname$$/dhi-node:24.9.0-debian13
9+
docker scout attest list $$orgname$$/dhi-node:24-debian13
1010
```
1111
In the output you will see the list of available attestations, such as:
1212
* CycloneDX SBOM (A software bill of materials in CycloneDX format, listing components, libraries, and versions.)
@@ -26,7 +26,7 @@ In the output you will see the list of available attestations, such as:
2626

2727
DHI provides SBOMs in the CycloneDX, SPDX, or Scout formats. To view a specific SBOM file, such as the SPDX SBOM that is widely adopted in open-source ecosystems, you can use the `docker scout attest get` command:
2828
```bash
29-
docker scout attest get $$orgname$$/dhi-node:24.9.0-debian13 \
29+
docker scout attest get $$orgname$$/dhi-node:24-debian13 \
3030
--predicate-type https://spdx.dev/Document
3131
```
3232

@@ -36,9 +36,9 @@ FIPS 140 compliance is required or strongly recommended in many regulated enviro
3636

3737
DHIs include variants that use cryptographic modules validated under FIPS 140.
3838

39-
You can retrieve and inspect the FIPS attestation for the `$$orgname$$/dhi-node:24.9.0-debian13-fips` using the Docker Scout CLI:
39+
You can retrieve and inspect the FIPS attestation for the `$$orgname$$/dhi-node:24-debian13-fips` using the Docker Scout CLI:
4040
```bash
41-
docker scout attest get --predicate-type https://docker.com/dhi/fips/v0.1 --predicate $$orgname$$/dhi-node:24.9.0-debian13-fips
41+
docker scout attest get --predicate-type https://docker.com/dhi/fips/v0.1 --predicate $$orgname$$/dhi-node:24-debian13-fips
4242
```
4343
In the output you'll see the CMVP # and the FIPS Provider name, for example:
4444
```plaintext no-copy-button
@@ -55,7 +55,7 @@ Docker also provides a signed STIG scan attestation for each STIG-hardened image
5555

5656
You can retrieve and inspect a STIG scan attestation using the Docker Scout CLI:
5757
```bash
58-
docker scout attest get --predicate-type https://docker.com/dhi/stig/v0.1 --predicate $$orgname$$/dhi-node:24.9.0-debian13-fips
58+
docker scout attest get --predicate-type https://docker.com/dhi/stig/v0.1 --predicate $$orgname$$/dhi-node:24-debian13-fips
5959
```
6060
**Integration with external security tools**
6161

Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM node:24.9.0-trixie-slim AS dev
1+
FROM node:24-trixie-slim AS dev
22

33
ENV BLUEBIRD_WARNINGS=0 \
44
NODE_ENV=production \
@@ -22,7 +22,7 @@ COPY . .
2222

2323

2424
#-- Prod stage --
25-
FROM node:24.9.0-trixie-slim AS prod
25+
FROM node:24-trixie-slim AS prod
2626

2727
WORKDIR /app
2828

0 commit comments

Comments
 (0)