Skip to content

fix: updates to docker#1061

Merged
BenjaminMichaelis merged 3 commits intomainfrom
agents/docker-security-compliance-review
May 6, 2026
Merged

fix: updates to docker#1061
BenjaminMichaelis merged 3 commits intomainfrom
agents/docker-security-compliance-review

Conversation

@BenjaminMichaelis
Copy link
Copy Markdown
Member

@BenjaminMichaelis BenjaminMichaelis commented May 6, 2026

Description

Describe your changes here.

Fixes #Issue_Number (if available)

Ensure that your pull request has followed all the steps below:

  • Code compilation
  • Created tests which fail without the change (if possible)
  • All tests passing
  • Extended the README / documentation, if necessary

@BenjaminMichaelis
security: harden Docker image and CI pipeline (OWASP compliance)
55e4018 
Addresses multiple items from the OWASP Docker Security Cheat Sheet:

- Switch base image to mcr.microsoft.com/dotnet/aspnet:10.0-noble-chiseled
  (smaller attack surface, no shell, fewer CVEs, non-root by default)
- Add USER app directive so container runs as non-root (OWASP Rule 2)
- Remove curl|sh pattern for Azure Artifact Credential Provider
- Replace raw PAT secret with BuildKit --mount=type=secret file (nugetconfig)
  so credentials are never written to any image layer or build cache
- Generate NuGet auth config in CI via heredoc; clean up with if: always()
- Fix PR docker build step: add context and ACCESS_TO_NUGET_FEED=false
- Downgrade Node from non-LTS v25 to Active LTS v24 (Krypton)
@BenjaminMichaelis
fix: address PR review feedback - NuGet config layering and secret mount
1f6c3e0 
- Add required=false to BuildKit secret mount so PR/merge_group builds succeed
  without the nugetconfig secret (was silently working due to dockerfile:1.2 syntax
  but required=false makes the intent explicit and safe for future syntax bumps)
- Use NuGet config layering instead of --configfile: copy credentials-only secret
  into ~/.nuget/config/credentials.config so dotnet restore reads both the repo
  nuget.config (sources + packageSourceMapping) and the credentials file automatically
- CI-generated config is now credentials-only (no packageSources, no packageSourceMapping)
  making nuget.config the single source of truth - no more drift risk
@BenjaminMichaelis
Copy link
Copy Markdown
Member Author

BenjaminMichaelis commented May 6, 2026

@copilot resolve the merge conflicts in this pull request

@BenjaminMichaelis
Merge remote-tracking branch 'origin/main' into agents/docker-securit…
b8d18b9 
…y-compliance-review

# Conflicts:
#	.github/workflows/Build-Test-And-Deploy.yml
#	EssentialCSharp.Web/Dockerfile

Co-authored-by: BenjaminMichaelis <22186029+BenjaminMichaelis@users.noreply.github.com>
Copy link
Copy Markdown
Contributor

Copilot AI commented May 6, 2026

@copilot resolve the merge conflicts in this pull request

Resolved in b8d18b9. Merged origin/main into the branch, accepting main's versions of the two conflicted files (Dockerfile and Build-Test-And-Deploy.yml). The core Docker security changes were already incorporated into main via #1060, so the branch is now fully up to date with no remaining conflicts.

@BenjaminMichaelis BenjaminMichaelis marked this pull request as ready for review May 6, 2026 23:20
Copilot AI review requested due to automatic review settings May 6, 2026 23:20
@BenjaminMichaelis BenjaminMichaelis merged commit 26ebbed into main May 6, 2026
6 checks passed
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

@BenjaminMichaelis BenjaminMichaelis deleted the agents/docker-security-compliance-review branch May 6, 2026 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BenjaminMichaelis