Merge pull request #57 from QWED-AI/fix/docker-security

fix(docker): upgrade to python 3.12-bookworm and harden container security

Author: rahuldass19

.gitattributes

@@ -0,0 +1,2 @@
+# Enforce Unix line endings for shell scripts
+*.sh text eol=lf

Dockerfile

@@ -1,6 +1,8 @@
 # QWED Action v3.0 Docker Image
 # Includes all verification engines and security scanners
-FROM python:3.11-slim
+# Vulnerability Fix: Upgrade to bookworm and pin digest for immutability
+# python:3.12-slim-bookworm @ 2024-02-11
+FROM python:3.12-slim-bookworm@sha256:4a8e0824201e50fc44ee8d208a2b3e44f33e00448907e524066fca5a96eb5567
 
 # Prevent python from writing pyc files to disc
 ENV PYTHONDONTWRITEBYTECODE=1
@@ -11,21 +13,52 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     && rm -rf /var/lib/apt/lists/*
 
-# Install dependencies (including httpx needed by qwed_sdk import chain)
-# Note: z3-solver NOT included - not needed for secret/code scanning actions
-# and requires C++ compiler to build from source
-RUN pip install --no-cache-dir sympy colorama httpx
+# Create a non-root user for security
+RUN useradd -m -u 1000 appuser
+
+# Fix permissions for GitHub Actions workspace
+RUN mkdir -p /github/workspace && chown -R appuser:appuser /github
+
+# Install gosu and dos2unix for entrypoint management
+RUN apt-get update && apt-get install -y --no-install-recommends gosu dos2unix && rm -rf /var/lib/apt/lists/*
+
+# Copy requirements file first to leverage cache
+COPY requirements.txt /app/requirements.txt
+
+# Install dependencies with hash verification
+# Vulnerability Fix: Pin versions with hashes to prevent supply chain attacks
+RUN pip install --no-cache-dir --require-hashes -r /app/requirements.txt
 
 # Copy the entire QWED SDK (local version with guards)
-COPY qwed_sdk /app/qwed_sdk/
+COPY --chown=appuser:appuser qwed_sdk /app/qwed_sdk/
 
 # Copy the entrypoint script
-COPY action_entrypoint.py /action_entrypoint.py
+COPY --chown=appuser:appuser action_entrypoint.py /action_entrypoint.py
 RUN chmod +x /action_entrypoint.py
 
+# Create entrypoint.sh directly to avoid Windows line ending issues (CRLF)
+RUN printf '#!/bin/bash\n\
+set -e\n\
+\n\
+# Fix permissions for workspace\n\
+if [ -d "/github/workspace" ]; then\n\
+    chown -R appuser:appuser /github/workspace\n\
+fi\n\
+\n\
+# Fix permissions for file commands\n\
+if [ -d "/github/file_commands" ]; then\n\
+    chmod -R 777 /github/file_commands\n\
+fi\n\
+\n\
+# Switch to appuser and run the main entrypoint\n\
+exec gosu appuser python /action_entrypoint.py "$@"\n\
+' > /entrypoint.sh && chmod +x /entrypoint.sh
+
 # Set Python path to use local SDK
 ENV PYTHONPATH=/app
 
 WORKDIR /github/workspace
 
-ENTRYPOINT ["python", "/action_entrypoint.py"]
+# NOTE: We do NOT switch USER here. We start as root to fix permissions on mounted volumes
+# in entrypoint.sh, then drop privileges to appuser using gosu.
+ENTRYPOINT ["/entrypoint.sh"]

requirements.txt

@@ -0,0 +1,58 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=requirements.txt requirements.in
+#
+anyio==4.12.1 \
+    --hash=sha256:41cfcc3a4c85d3f05c932da7c26d0201ac36f72abd4435ba90d0464a3ffed703 \
+    --hash=sha256:d405828884fc140aa80a3c667b8beed277f1dfedec42ba031bd6ac3db606ab6c
+    # via httpcore
+certifi==2026.1.4 \
+    --hash=sha256:9943707519e4add1115f44c2bc244f782c0249876bf51b6599fee1ffbedd685c \
+    --hash=sha256:ac726dd470482006e014ad384921ed6438c457018f4b3d204aea4281258b2120
+    # via
+    #   httpcore
+    #   httpx
+colorama==0.4.6 \
+    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
+    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
+    # via -r requirements.in
+h11==0.14.0 \
+    --hash=sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d \
+    --hash=sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761
+    # via httpcore
+httpcore==0.17.3 \
+    --hash=sha256:a6f30213335e34c1ade7be6ec7c47f19f50c56db36abef1a9dfa3815b1cb3888 \
+    --hash=sha256:c2789b767ddddfa2a5782e3199b2b7f6894540b17b16ec26b2c4d8e103510b87
+    # via httpx
+httpx==0.24.0 \
+    --hash=sha256:447556b50c1921c351ea54b4fe79d91b724ed2b027462ab9a329465d147d5a4e \
+    --hash=sha256:5b8cc50c22634351515ce762ce0d965705a611c0c6819a31818221c976993a43 \
+    --hash=sha256:9ac5ae24268e6f304403328ce7885b59f77f989917849618b76df4721387d85c
+    # via -r requirements.in
+idna==3.11 \
+    --hash=sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea \
+    --hash=sha256:795dafcc9c04ed0c1fb032c2aa73654d8e8c5023a7df64a53f39190ada629902
+    # via
+    #   anyio
+    #   httpx
+mpmath==1.3.0 \
+    --hash=sha256:7a28eb2a9774d00c7bc92411c19a89209d5da7c4c9a9e227be8330a23a25b91f \
+    --hash=sha256:a0b2b9fe80bbcd81a6647ff13108738cfb482d481d826cc0e02f5b35e5c88d2c
+    # via sympy
+sniffio==1.3.1 \
+    --hash=sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2 \
+    --hash=sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc
+    # via
+    #   httpcore
+    #   httpx
+sympy==1.12 \
+    --hash=sha256:3e2e0e09210c4d8f8d660e574c88f728c050228497d51921356a9829352e8253 \
+    --hash=sha256:c3588cd4295d0c0f603d0f2ae780587e64e2efeedb3521e46b9bb1d08d184fa5 \
+    --hash=sha256:ebf595f8cc3e0d54184a47bd3b89097782ad76e06b38c2957b4458ce3e7e0e74
+    # via -r requirements.in
+typing-extensions==4.15.0 \
+    --hash=sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466 \
+    --hash=sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548
+    # via anyio