API REST construída com Python/Flask, agora com segurança enterprise-grade.
- 0 Critical/High CVEs (Trivy + Docker Scout)
- Assinatura Cosign (digest SHA256)
- Container non-root (CIS Benchmark 4.1)
- Git Flow com tags versionadas
| Verificação | Status | Comando |
|---|---|---|
| Vulnerabilidades | ✅ 0 Critical/High | trivy iamnotlins/taskforge:v3 |
| Assinatura | ✅ Válida | cosign verify iamnotlins/taskforge:v3 |
| Non-root | ✅ appuser UID 1000 | docker run taskforge:v3 id |
| Git Tag | ✅ v3 | git tag v3 |
- Python 3.14.3-alpine3.23 — base image segura (18MB)
- Flask — framework web
- Gunicorn — WSGI production server
- SQLite — banco leve para desenvolvimento
- Docker — containerização
- Docker Compose — orquestração
- Cosign — assinatura criptográfica
- Trivy — scanner de vulnerabilidades
TaskForge/
├── app/ # Flask application
├── docs/security/ # 🔒 Documentação de segurança
│ ├── keys/cosign.pub # Chave pública para verificação
│ └── release-v3.md # Histórico das correções
├── .trivyignore # CVEs aceitos com justificativa
├── .gitignore # cosign.key protegida
├── dockerfile # Imagem Alpine + non-root
├── compose.yml # Orquestração production-ready
└── requirements.txt # Dependências versionadas
Verificar a imagem antes de usar.
docker scout cves iamnotlins/taskforge:v3
trivy image --ignorefile .trivyignore iamnotlins/taskforge:v3
cosign verify --key docs/security/keys/cosign.pub iamnotlins/taskforge:v3
docker compose up -d
curl http://localhost:5000
docker compose logs -f
docker compose down
docker run -d -p 5000:5000 --name taskforge iamnotlins/taskforge:v3
curl http://localhost:5000
docker logs taskforge
docker rm -f taskforge
docker build -t taskforge:local .
docker scout cves taskforge:local
trivy image taskforge:local
docker run -p 5000:5000 taskforge:local
FROM python:3.14.3-alpine3.23 # 18MB, 0 Critical CVEs
RUN apk upgrade --no-cache # OS patches
RUN pip install --upgrade pip # Fix CVE-2026-1703
RUN addgroup -S appgroup && adduser -S -G appgroup appuser # Alpine native
USER appuser # CIS 4.1 - Non-root
CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "3", "wsgi:app"]
| Problema v1 | Correção v3 | Impacto |
|---|---|---|
| python:3.11 full | python:3.14.3-alpine3.23 | -24MB, -20 CVEs |
| groupadd/useradd | addgroup/adduser | Build compatível Alpine |
| Sem USER | USER appuser | Non-root execution |
| pip 25.3 | pip 26.0 | CVE-2026-1703 corrigida |
docker scout cves iamnotlins/taskforge:v3
trivy image --ignorefile .trivyignore iamnotlins/taskforge:v3
trivy image --scanners secret iamnotlins/taskforge:v3
cosign verify --key docs/security/keys/cosign.pub iamnotlins/taskforge:v3
The cosign claims were validated
Existence in transparency log verified
Signatures match public key
| Tag | Status | GitHub | Docker Hub |
|---|---|---|---|
| v1 | Legacy (CVEs) | git tag v1 | iamnotlins/taskforge:v1 |
| v2 | Obsoleta | - | iamnotlins/taskforge:v2 |
| v3 | Production | git tag v3 | iamnotlins/taskforge:v3 |
sha256:f0e7ecebf1b0bc8c2589082e06a8403a99433fbe358f14509b4aa214be1cc43f
main ──●─(v3)─● # Produção
develop ───●──────────── # Desenvolvimento
Próximas features:
develop → feature/xxx → merge → main → tag
git clone https://github.com/iamnotlins/taskforge.git &&
cd taskforge &&
docker compose up -d &&
curl http://localhost:5000/health