Fix: Dockerfile Security Vulnerabilities

[Suresh-Krishna-P]

Security Issue: Dockerfile Security Vulnerabilities

Issue: The Dockerfile contains multiple security vulnerabilities that could lead to privilege escalation and container compromise.

Key Problems:

1. Privilege Escalation Risk:

   • Uses USER builder but then switches back to root implicitly
   • The pipenv install --dev command runs as non-root but may need elevated privileges

2. Insecure Package Installation:

   • Installs docker package inside container (unnecessary attack surface)
   • Uses --ignore-pipfile flag which bypasses dependency pinning

3. Missing Security Hardening:

   • No --no-install-recommends flag for apk packages
   • No cleanup of package cache after installation
   • No security scanning of installed packages

4. Information Disclosure:

   • Exposes build arguments (user_id, group_id, home, workdir) in image layers

Simple Solution:

1. Remove unnecessary packages: Remove docker from apk install
2. Add package cleanup: Add rm -rf /var/cache/apk/* after package installation
3. Use proper dependency management: Remove --ignore-pipfile flag
4. Add security hardening: Use --no-install-recommends for apk
5. Minimize attack surface: Only install packages needed for the specific stage

I’d be happy to work on this and open a PR if you could assign it to me.

[Suresh-Krishna-P]

@sydseter, can i work on this?