Skip to content

Docker security hardening with secrets management#111

Draft
Copilot wants to merge 3 commits intomasterfrom
copilot/increase-docker-security
Draft

Docker security hardening with secrets management#111
Copilot wants to merge 3 commits intomasterfrom
copilot/increase-docker-security

Conversation

Copy link

Copilot AI commented Nov 27, 2025
edited
Loading

Implements comprehensive Docker security hardening: secrets management, non-root users, capability dropping, resource limits, and health checks.

Changes

Security Context

  • Remove external database port exposure (5432)
  • Add no-new-privileges:true to both containers
  • Drop all capabilities, add back only required ones (NET_BIND_SERVICE for node, CHOWN/SETGID/SETUID/DAC_OVERRIDE/FOWNER for postgres)
  • Add CPU (0.50 cores) and memory (512MB) limits

Non-root Users

  • Create nodeapp user in Node.js Dockerfile
  • PostgreSQL uses built-in postgres user

Secrets Management

  • Add secrets/ directory with example files
  • Update config.js to read credentials from /run/secrets/*:
function readSecret(secretPath, defaultValue) {
    if (secretPath && fs.existsSync(secretPath)) {
        return fs.readFileSync(secretPath, 'utf8').trim();
    }
    return defaultValue;
}

var dbUser = readSecret(process.env.DB_USER_FILE, 'postgres');
var dbPassword = readSecret(process.env.DB_PASSWORD_FILE, 'postgres');

Base Images

  • Node.js: 19.3.0-bullseye-slim22-bookworm-slim
  • PostgreSQL: 15.1-bullseye16-bookworm

Health Checks

  • Node.js: curl -f http://localhost:3000/ (30s interval, 10s timeout, 3 retries)
  • PostgreSQL: pg_isready -U postgres (30s interval, 10s timeout, 5 retries, 30s start period)

Documentation

  • Add SECURITY.md with setup instructions and best practices
  • Update README.md with secrets setup steps
Original prompt

This section details on the original issue you should resolve

<issue_title>Increase Docker security hardening</issue_title>
<issue_description>- Remove database port exposure from docker-compose.yml

  • Create non-root users in the Dockerfiles
  • Implement Docker secrets management by creating secrets/ directory and to use secret files instead of hardcoded credentials
  • Add security contexts and resource limits including no-new-privileges, read-only filesystem, capability dropping, and CPU/memory constraints
  • Update base images to latest stable versions
  • Implement health checks and monitoring in both Dockerfiles with proper interval, timeout, and retry configurations</issue_description>

Comments on the Issue (you are Copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits November 27, 2025 08:47
@scubaninja
Implement Docker security hardening with secrets management and docum…
428e20a 
…entation

Co-authored-by: scubaninja <26086919+scubaninja@users.noreply.github.com>
@scubaninja
Address code review feedback: improve health check and remove path fr…
4de9f91 
…om warning

Co-authored-by: scubaninja <26086919+scubaninja@users.noreply.github.com>
Copilot AI changed the title [WIP] Enhance Docker security hardening measures Docker security hardening with secrets management Nov 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scubaninja April Yoho (scubaninja) Awaiting requested review from scubaninja

At least 2 approving reviews are required to merge this pull request.

Assignees

@scubaninja April Yoho (scubaninja)

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Increase Docker security hardening

2 participants

@scubaninja