Skip to content

fix(security): harden Dockerfile and example terraform#178

Open
oto-macenauer-absa wants to merge 1 commit into
masterfrom
security/dockerfile-tf-hardening
Open

fix(security): harden Dockerfile and example terraform#178
oto-macenauer-absa wants to merge 1 commit into
masterfrom
security/dockerfile-tf-hardening

Conversation

@oto-macenauer-absa

@oto-macenauer-absa oto-macenauer-absa commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Resolves three Trivy/AquaSec findings.

Changes

Release notes

  • Change user for the container to app (was root)
  • Run clear dnf cache after the packages are installed

Testing

  • docker build --platform=linux/arm64 succeeds (exit 0).
  • Container runs as uid=1000(app) (verified via id).
  • Python runtime + native libs (librdkafka/confluent-kafka, psycopg2) import cleanly as non-root.
  • Remaining local invoke error is placeholder conf (ssl_ca_bundle: /path/to/ca-bundle.pem + redacted IdP URL), unrelated to these changes.

Closes #173, #175, #177

Summary by CodeRabbit

  • Chores
    • Improved container security by implementing non-root user execution
    • Optimized image build process with enhanced cleanup steps
    • Restricted network egress in example infrastructure configurations to HTTPS only

@oto-macenauer-absa
fix(security): harden Dockerfile and example terraform
829206f 
- Dockerfile: add 'dnf clean all' to shrink image (AVD-DS-0019, #175)
- Dockerfile: run as non-root user uid 1000 (AVD-DS-0002, #173)
- terraform_examples: replace unrestricted egress with dummy
  restricted CIDR/port; example-only, prod egress governed by
  org-managed policies (AVD-AWS-0104, #177)
@coderabbitai

coderabbitai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The Dockerfile adds dnf clean all and /var/cache/dnf removal after the build workspace cleanup, then creates an app user/group (UID/GID 1000), sets ownership on the Lambda task root and certificate directories, and switches to USER 1000. The Terraform Lambda example replaces the allow-all egress rule with a TCP-443-only rule to a restricted dummy CIDR.

Changes

Container and Network Security Hardening

Layer / File(s) Summary
DNF cache cleanup and non-root user setup
Dockerfile		 Expands post-build cleanup to run dnf clean all and delete /var/cache/dnf. Adds app user/group (UID/GID 1000), creates /home/app, chowns ${LAMBDA_TASK_ROOT}, /opt/certs, and /opt/sasl_ssl_artifacts, then sets USER 1000 as the runtime user.
Terraform example egress restricted to HTTPS
terraform_examples/lambda.tf		 Replaces the allow-all IPv4 egress rule (protocol -1, 0.0.0.0/0) with aws_vpc_security_group_egress_rule.allow_https_egress_ipv4 scoped to TCP port 443 on a restricted dummy /32 CIDR, with added comments marking the rule as illustrative.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 A rabbit once ran as root, oh my!
Now app user hops—no root to defy.
The cache swept clean, the ports locked tight,
HTTPS only, secured just right.
No all-traffic egress, no root to fear—
The carrot is safe, and the warren is clear! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main security hardening changes to both the Dockerfile and Terraform configuration.
Linked Issues check ✅ Passed The pull request addresses the core requirement of issue #173 by implementing a non-root USER instruction with uid 1000 in the Dockerfile, as required by AVD-DS-0002.
Out of Scope Changes check ✅ Passed All changes are directly aligned with resolving the three Trivy/AquaSec security findings (AVD-DS-0002, AVD-DS-0019, AVD-AWS-0104) referenced in the PR objectives.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check ✅ Passed The pull request description comprehensively covers the overview, release notes, and related issues as required by the template.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/dockerfile-tf-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

lsulak
lsulak reviewed Jun 23, 2026
View reviewed changes
Comment thread terraform_examples/lambda.tf
}

resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
# Example only — these terraform_examples are illustrative and not used for

@lsulak lsulak Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this comment be updated? I mean, it looks like you added the CIDR block by yourself, or no ? If no, how it will be updated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lsulak lsulak lsulak left review comments

@petr-pokorny-absa petr-pokorny-absa Awaiting requested review from petr-pokorny-absa petr-pokorny-absa is a code owner

@tmikula-dev tmikula-dev Awaiting requested review from tmikula-dev tmikula-dev is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SEC:HIGH][FP=fbba49de] Image user should not be 'root'

2 participants

@oto-macenauer-absa @lsulak