-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#1322 add support for hardened container environments #1323
Conversation
@lukibahr do you think it would be worth exploring the use of the chainguard image? A quick scan with Trivy reveals there are a number of vulnerabilities in the nginxinc image, whereas the chainguard image has none at the moment. caveat: with all vuln scans, it's common to see an alarming list of CVEs, and then review them and realize they are all irrelevant to your own usage (but still requires that time commitment). Only downside is we would need to contact Chainguard for an OSS license to access specific versions (the https://images.chainguard.dev/directory/image/nginx/versions |
@olivercodes I was considering the chainguard image tho, however i faced the license issue you've mentioned too. If we're ok with the latest image (what we are doing more ore less, using the nginx-alpine:stable, which is also not directly pinned), I could update the MR. For accessing specific versions of chainguard, I do not know the workflow or process how this works with chainguard. |
@lukibahr @camcash17 I opened a dialogue with Chainguard but they don't currently have an OSS policy. Sounds like they may be open to it but it may take a while to work out the details. Probably good to merge this and then come back to it when we have something more solid. |
I second that! In the meantime, I'll test the chainguard image with latest tag. |
@olivercodes @camcash17 Any news from your side? I suggest, we should merge the change and check chainguard images later. |
+1, good to merge @camcash17 |
Thanks for the contribution @lukibahr! |
@ccasher will the updated image be published in dockerhub? Can't find a newer container image than release-2024-02-11 |
@lukibahr, apologies for the delay. doing a release now so should be available for you momentarily! |
Description of Change
This change hardens the container to use nginxinc/nginx-unprivileged:1.25 container for getting the container up and running in a hardened enviroment, where privileged containers are not allowed or capabilities are restricted.
#1322
Checklist
(Please refrain from using
--no-verify
)Notes
This applies for the frontend (client) application only. Configuration changes for the helm templates are not included.
© 2021 Thoughtworks, Inc.