Switch to Ubuntu Noble base image and non root user (#17)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: shahidhk

.github/workflows/ndc-python-lambda-connector.yaml

@@ -85,6 +85,55 @@ jobs:
           path: ./connector-definition/dist
           compression-level: 0 # Already compressed
 
+  security-scan:
+    name: Build and scan Docker image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          load: true
+          tags: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}
+
+      - name: Run Trivy vulnerability scanner (json output)
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}
+          format: json
+          output: trivy-results.json
+          scanners: vuln
+
+      - name: Upload Trivy scan results to Security Agent
+        uses: hasura/security-agent-tools/upload-file@v1
+        with:
+          file_path: trivy-results.json
+          security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }}
+          tags: |
+            service=ndc-python-lambda
+            source_code_path=.
+            docker_file_path=Dockerfile
+            scanner=trivy
+            image_name=${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}
+            product_domain=hasura-ddn-data-plane,promptql-data-plane
+            team=engine
+
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          skip-setup-trivy: true
+          image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}
+          format: table
+          severity: CRITICAL,HIGH
+          scanners: vuln
+          ignore-unfixed: true
+          exit-code: 1
+
   build-and-push-docker:
     name: Build and push Docker image
     needs: build-connector
@@ -121,6 +170,45 @@ jobs:
           tags: ${{ steps.docker-metadata.outputs.tags }}
           labels: ${{ steps.docker-metadata.outputs.labels }}
 
+      - name: Get image tag for scanning
+        id: get-image-tag
+        run: |
+          IMAGE_TAG="${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${GITHUB_REF#refs/tags/}"
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy vulnerability scanner (json output)
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ${{ steps.get-image-tag.outputs.image_tag }}
+          format: json
+          output: trivy-results.json
+          scanners: vuln
+
+      - name: Upload Trivy scan results to Security Agent
+        uses: hasura/security-agent-tools/upload-file@v1
+        with:
+          file_path: trivy-results.json
+          security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }}
+          tags: |
+            service=ndc-python-lambda
+            source_code_path=.
+            docker_file_path=Dockerfile
+            scanner=trivy
+            image_name=${{ steps.get-image-tag.outputs.image_tag }}
+            product_domain=hasura-ddn-data-plane,promptql-data-plane
+            team=engine
+
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          skip-setup-trivy: true
+          image-ref: ${{ steps.get-image-tag.outputs.image_tag }}
+          format: table
+          severity: CRITICAL,HIGH
+          scanners: vuln
+          ignore-unfixed: true
+          exit-code: 1
+
   release-connector:
     name: Release connector
     runs-on: ubuntu-latest

CHANGELOG.md

@@ -6,6 +6,11 @@ This changelog documents the changes between release versions.
 
 Changes to be included in the next upcoming release
 
+## [0.2.7] - 2026.02.04
+
+* Switch to `ubuntu:noble-20260113` base image with Python 3.12
+* Run container as non-root user for improved security
+
 ## [0.2.6] - 2025.12.12
 
 * Use pip 25.3 or greater

Dockerfile

@@ -1,24 +1,18 @@
-FROM python:3.12-slim
+FROM ubuntu:noble-20260113
 
-RUN python -m pip install --no-cache-dir --upgrade "pip>=25.3"
-
-# Install curl for healthcheck
-RUN apt-get update && \
-    apt-get install -y curl git && \
-    rm -rf /var/lib/apt/lists/*
-
-# Security updates for CVE-2024-56406 (Perl), CVE-2025-7709 (SQLite)
-# Upgrade vulnerable system packages to their fixed versions
+# Install Python 3.12 (Ubuntu Noble default), venv, curl, and git
 RUN apt-get update && \
-    apt-get upgrade -y \
-      libperl5.40 \
-      perl \
-      perl-modules-5.40 \
-      perl-base \
-      libsqlite3-0 && \
+    apt-get install -y --no-install-recommends \
+      python3 \
+      python3-venv \
+      curl \
+      git && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
+# Create python symlink for compatibility
+RUN ln -sf /usr/bin/python3 /usr/bin/python
+
 COPY /docker /scripts
 COPY /functions /functions
 
@@ -28,6 +22,12 @@ RUN chmod +x /scripts/package-restore.sh /scripts/start.sh
 # Run the package-restore script
 RUN /scripts/package-restore.sh
 
+# Create non-root user
+RUN useradd -m python && \
+    chown -R python:python /scripts /functions
+
+USER python
+
 EXPOSE 8080
 
 HEALTHCHECK --interval=5s --timeout=10s --start-period=1s --retries=3 \