fix: run Docker container as non-root user (closes #34)
- Switch to gcr.io/distroless/cc-debian12:nonroot - Add explicit USER 65534:65534 directive - Add Docker security CI job verifying non-root UID, :nonroot base, and USER directive - Document CIS Docker Benchmark compliance in SECURITY.md - Add tests and edge cases for container security
This commit is contained in:
argenis de la rosa
parent
cc08f4bfff
commit
76074cb789
14 changed files with 2270 additions and 168 deletions
66
.dockerignore
Normal file
66
.dockerignore
Normal file
|
|
@ -0,0 +1,66 @@
|
|||
# Git history (may contain old secrets)
|
||||
.git
|
||||
.gitignore
|
||||
.githooks
|
||||
|
||||
# Rust build artifacts (can be multiple GB)
|
||||
target
|
||||
|
||||
# Documentation and examples (not needed for runtime)
|
||||
docs
|
||||
examples
|
||||
tests
|
||||
|
||||
# Markdown files (README, CHANGELOG, etc.)
|
||||
*.md
|
||||
|
||||
# Images (unnecessary for build)
|
||||
*.png
|
||||
*.svg
|
||||
*.jpg
|
||||
*.jpeg
|
||||
*.gif
|
||||
|
||||
# SQLite databases (conversation history, cron jobs)
|
||||
*.db
|
||||
*.db-journal
|
||||
|
||||
# macOS artifacts
|
||||
.DS_Store
|
||||
.AppleDouble
|
||||
.LSOverride
|
||||
|
||||
# CI/CD configs (not needed in image)
|
||||
.github
|
||||
|
||||
# Cargo deny config (lint tool, not runtime)
|
||||
deny.toml
|
||||
|
||||
# License file (not needed for runtime)
|
||||
LICENSE
|
||||
|
||||
# Temporary files
|
||||
.tmp_*
|
||||
*.tmp
|
||||
*.bak
|
||||
*.swp
|
||||
*~
|
||||
|
||||
# IDE and editor configs
|
||||
.idea
|
||||
.vscode
|
||||
*.iml
|
||||
|
||||
# Windsurf workflows
|
||||
.windsurf
|
||||
|
||||
# Environment files (may contain secrets)
|
||||
.env
|
||||
.env.*
|
||||
!.env.example
|
||||
|
||||
# Coverage and profiling
|
||||
*.profraw
|
||||
*.profdata
|
||||
coverage
|
||||
lcov.info
|
||||
Loading…
Add table
Add a link
Reference in a new issue