Skip to content

Security: harden container image and address high-score vulnerabilities#371

Open
LordOverlord wants to merge 51 commits intobcicen:masterfrom
LordOverlord:bcicen
Open

Security: harden container image and address high-score vulnerabilities#371
LordOverlord wants to merge 51 commits intobcicen:masterfrom
LordOverlord:bcicen

Conversation

@LordOverlord
Copy link
Copy Markdown

@LordOverlord LordOverlord commented Jan 23, 2026

Summary

This PR hardens the Docker image build to mitigate high-severity vulnerabilities (including runc-related findings), reduces image surface area, and ensures the container binary reports consistent version/build metadata.

What changed

  • Image hardening / CVE mitigation

    • Reworked the container build to reduce exposure to high-score vulnerabilities flagged by scanners (incl. runc-related findings).
    • Removed/avoided unnecessary components to minimize attack surface.

  • Dockerfile cleanup

    • Simplified the build stages and final image contents.
    • Ensured the final image contains only the required ctop binary and minimal runtime config.

  • Version/build metadata inside the container

    • Build now embeds semantic version and git SHA into the binary used in the container (same fields reported by ctop -v).

Why

Security scanners were reporting high-severity vulnerabilities on the image build chain.
This change reduces the image footprint and improves traceability of shipped artifacts via embedded version/build metadata.

How to validate

  • Build the image locally: 
    docker build -t ctop .
  • Run version output from the container: 
    docker run --rm ctop -v
  • Expected: version + build SHA are present.

Notes

  • This PR intentionally does not include CI/CD workflow changes (upstream may have different pipelines).
  • No functional runtime behavior changes beyond build metadata and container hardening.

LordOverlord and others added 30 commits October 21, 2024 00:10
@LordOverlord
chenge to github actions, instead of circleci
ee40d9b
@LordOverlord
fixes to the github actions
aafd63a
@LordOverlord
changed GA to avoid tagging
b9d3c62
@LordOverlord
changed GA to avoid tagging
bb5e743
@LordOverlord
changes to GA
6de31ec
@LordOverlord
updated some dependencies on go.mod
51c8111
@LordOverlord
Merge pull request #1 from LordOverlord/dev
387cea7 
Dev
@LordOverlord
added build for binaries
16f4c57
@LordOverlord
changes to releases
302c5ba
@LordOverlord
changes to releases
dd4fc3d
@LordOverlord
changes to dev releases
dbfa769
@LordOverlord
updated dependency
927977c
@LordOverlord
updated version dependency
7490222
@LordOverlord
go.mod dependencies
044036f
@LordOverlord
changed references to bcicen
bfd1315
@LordOverlord
solving dependencies in go
7f6ae34
@LordOverlord
solving dependencies
7284413
@LordOverlord
dependiencies on go.mod and sum
761444b
@LordOverlord
changes to workflow dev
34b3940
@LordOverlord
change the binaries
8db80a4
@LordOverlord
change the binaries
28dd346
@LordOverlord
change to versions instead of timestamp
8cbd432
@LordOverlord
change tags
6e65fa4
@LordOverlord
change to versions instead of timestamp
6f85c57
@LordOverlord
Merge pull request #2 from LordOverlord/dev
fa78817 
Dev
@LordOverlord
rework ga master
031dfc1
@LordOverlord
Merge pull request #3 from LordOverlord/dev
082c401 
rework ga master
@LordOverlord
new tag
9c42cf3
@LordOverlord
mark false prerelease from master
92b7222
@LordOverlord
updated security issues dependencies
37b2705
LordOverlord and others added 21 commits October 21, 2024 03:21
@LordOverlord
added snyk
5371a17
@LordOverlord
updated containerd
ec7c5e2
@LordOverlord
changed go version
292d780
@LordOverlord
change to dependency
b1c5cd3
@LordOverlord
updated dependency
bceac61
@LordOverlord
changes to dependencies
794afdd
@LordOverlord
changes to dependencies mod
36c889c
@LordOverlord
fixed cve on the base image, and changed to builder, for a compact do…
60c2f6d 
…cker image
@LordOverlord
upgraded the go version to 1.21 to support toolchain
ce7a3b2
@LordOverlord
Fixed some cve on the ctop binary
4c19f6a
@LordOverlord
Fixed some cve on the ctop binary
1384dc2
@LordOverlord
cve fix, hopefully
108fce9
@LordOverlord
bumped to 23.0.15 fix a few cve, pendind reqrite for the official client
7116efd
@LordOverlord
Work on the Readme
b6e3a32
@LordOverlord
Merge pull request #4 from LordOverlord/dev
57c91c3 
Approving this, since theres a pending rewrite to deprecate the fsouza/go-dockerclient with the official one.
this also should solve other cve reported by snyk.
@LordOverlord
rework of the runc for addresing high score vulnerabilities
aa1170b
@LordOverlord
cleanup from dockerfile
3ce894d
@LordOverlord
overhaul to github actions, binary and docker image
9742f18
@LordOverlord
fix for the docker job
29f0772
@LordOverlord
fix for snyk step
7128ade
@LordOverlord
branch for merge with bcicen original repo, minus the github actions
33650f0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LordOverlord