Merge branch 'main' of github.com:l3montree-dev/devguard

Author: timbastin

Dockerfile

@@ -24,15 +24,17 @@ ENV FLAGS="ldflags='-X main.release=devguard@${GITHUB_REF_NAME}'"
 RUN CGO_ENABLED=0 make devguard
 RUN CGO_ENABLED=0 make devguard-cli
 
-FROM gcr.io/distroless/static-debian12@sha256:b7b9a6953e7bed6baaf37329331051d7bdc1b99c885f6dbeb72d75b1baad54f9
+FROM gcr.io/distroless/static-debian12:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46
+
+USER 53111
 
 WORKDIR /
 
-COPY config/rbac_model.conf /config/rbac_model.conf
-COPY --from=build /go/src/app/devguard /usr/local/bin/devguard
-COPY --from=build /go/src/app/devguard-cli /usr/local/bin/devguard-cli
-COPY templates /templates
-COPY intoto-public-key.pem /intoto-public-key.pem
-COPY cosign.pub /cosign.pub
+COPY --chown=53111:53111 config/rbac_model.conf /config/rbac_model.conf
+COPY --chown=53111:53111 --from=build /go/src/app/devguard /usr/local/bin/devguard
+COPY --chown=53111:53111 --from=build /go/src/app/devguard-cli /usr/local/bin/devguard-cli
+COPY --chown=53111:53111 templates /templates
+COPY --chown=53111:53111 intoto-public-key.pem /intoto-public-key.pem
+COPY --chown=53111:53111 cosign.pub /cosign.pub
 
 CMD ["devguard"]

charts/devguard/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.13.1
+version: 0.13.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.

charts/devguard/templates/postgresql/postgresql-deployment.yaml

@@ -16,10 +16,15 @@ spec:
       labels:
         app: postgresql
         version: "{{ .Chart.AppVersion }}"
+    automountServiceAccountToken: false
     spec:
       containers:
       - image: "{{ .Values.api.image.repository }}/postgresql:{{ .Chart.AppVersion }}"
         name: postgresql
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
         ports:
         - containerPort: 5432
           protocol: TCP

charts/devguard/values.yaml

@@ -44,9 +44,11 @@ api:
     capabilities:
       drop:
         - ALL
-    #readOnlyRootFilesystem: true
-    #runAsNonRoot: true
-    #runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 53111
 
   autoscaling:
     enabled: false

docker-compose-try-it.yaml

@@ -4,6 +4,8 @@ services:
   postgresql:
     image: ghcr.io/l3montree-dev/devguard/postgresql:0.13.4
     container_name: devguard-postgres
+    security_opt:
+      - no-new-privileges:true 
     environment:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: password
@@ -23,6 +25,10 @@ services:
 
   kratos-migrate:
     image: oryd/kratos:v1.3.1
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     depends_on:
       postgresql:
         condition: service_healthy
@@ -39,6 +45,11 @@ services:
   kratos:
     image: oryd/kratos:v1.3.1
     container_name: devguard-kratos
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    user: "53111"
     depends_on:
       postgresql:
         condition: service_healthy
@@ -62,6 +73,11 @@ services:
   devguard-api:
     image: ghcr.io/l3montree-dev/devguard:0.13.4
     container_name: devguard-api
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    user: "53111"
     depends_on:
       postgresql:
         condition: service_healthy
@@ -87,6 +103,10 @@ services:
   devguard-web:
     image: ghcr.io/l3montree-dev/devguard-web:0.13.4
     container_name: devguard-web
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     depends_on:
       - devguard-api
     ports: