From 040831a66b998144ef909354238da8fce6de7b04 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Wed, 4 Feb 2026 09:44:59 -0800 Subject: [PATCH 1/5] Switch to Ubuntu Noble base image with Python 3.13 - Use ubuntu:noble-20260113 base image instead of python:3.12-slim - Install Python 3.13 from deadsnakes PPA - Run container as non-root user for security - Remove CVE-specific patches (no longer needed with new base) Co-Authored-By: Claude Opus 4.5 --- Dockerfile | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4a72d27..e9eba46 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,24 +1,26 @@ -FROM python:3.12-slim +FROM ubuntu:noble-20260113 -RUN python -m pip install --no-cache-dir --upgrade "pip>=25.3" - -# Install curl for healthcheck -RUN apt-get update && \ - apt-get install -y curl git && \ - rm -rf /var/lib/apt/lists/* - -# Security updates for CVE-2024-56406 (Perl), CVE-2025-7709 (SQLite) -# Upgrade vulnerable system packages to their fixed versions +# Install dependencies and add deadsnakes PPA for latest Python RUN apt-get update && \ - apt-get upgrade -y \ - libperl5.40 \ - perl \ - perl-modules-5.40 \ - perl-base \ - libsqlite3-0 && \ + apt-get install -y --no-install-recommends \ + software-properties-common \ + gpg-agent && \ + add-apt-repository -y ppa:deadsnakes/ppa && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + python3.13 \ + python3.13-venv \ + curl \ + git && \ + apt-get purge -y software-properties-common gpg-agent && \ + apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* +# Create python symlinks for compatibility +RUN ln -sf /usr/bin/python3.13 /usr/bin/python && \ + ln -sf /usr/bin/python3.13 /usr/bin/python3 + COPY /docker /scripts COPY /functions /functions @@ -28,6 +30,12 @@ RUN chmod +x /scripts/package-restore.sh /scripts/start.sh # Run the package-restore script RUN /scripts/package-restore.sh +# Create non-root user +RUN useradd -m python && \ + chown -R python:python /scripts /functions + +USER python + EXPOSE 8080 HEALTHCHECK --interval=5s --timeout=10s --start-period=1s --retries=3 \ From 6f4186f460b715bd255b685028649f3445d13581 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Wed, 4 Feb 2026 09:52:53 -0800 Subject: [PATCH 2/5] Switch to Ubuntu Noble base image with Python 3.12 - Use ubuntu:noble-20260113 base image instead of python:3.12-slim - Use Ubuntu's built-in Python 3.12 - Run container as non-root user for improved security Co-Authored-By: Claude Opus 4.5 --- CHANGELOG.md | 5 +++++ Dockerfile | 18 +++++------------- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ef1fec..e8e1a42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ This changelog documents the changes between release versions. Changes to be included in the next upcoming release +## [0.2.7] - 2026.02.04 + +* Switch to `ubuntu:noble-20260113` base image with Python 3.12 +* Run container as non-root user for improved security + ## [0.2.6] - 2025.12.12 * Use pip 25.3 or greater diff --git a/Dockerfile b/Dockerfile index e9eba46..509c715 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,17 @@ FROM ubuntu:noble-20260113 -# Install dependencies and add deadsnakes PPA for latest Python +# Install Python 3.12 (Ubuntu Noble default), venv, curl, and git RUN apt-get update && \ apt-get install -y --no-install-recommends \ - software-properties-common \ - gpg-agent && \ - add-apt-repository -y ppa:deadsnakes/ppa && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - python3.13 \ - python3.13-venv \ + python3 \ + python3-venv \ curl \ git && \ - apt-get purge -y software-properties-common gpg-agent && \ - apt-get autoremove -y && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* -# Create python symlinks for compatibility -RUN ln -sf /usr/bin/python3.13 /usr/bin/python && \ - ln -sf /usr/bin/python3.13 /usr/bin/python3 +# Create python symlink for compatibility +RUN ln -sf /usr/bin/python3 /usr/bin/python COPY /docker /scripts COPY /functions /functions From 2b70a9858f68fd0e0fa3b1c3dd4631c3f763b861 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Wed, 4 Feb 2026 10:01:11 -0800 Subject: [PATCH 3/5] Add Trivy vulnerability scanning to CI workflow - Scan pushed Docker image for vulnerabilities - Upload scan results to Security Agent - Fail build on HIGH/CRITICAL vulnerabilities Co-Authored-By: Claude Opus 4.5 --- .../ndc-python-lambda-connector.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/.github/workflows/ndc-python-lambda-connector.yaml b/.github/workflows/ndc-python-lambda-connector.yaml index 35f0af3..4ab92e9 100644 --- a/.github/workflows/ndc-python-lambda-connector.yaml +++ b/.github/workflows/ndc-python-lambda-connector.yaml @@ -121,6 +121,45 @@ jobs: tags: ${{ steps.docker-metadata.outputs.tags }} labels: ${{ steps.docker-metadata.outputs.labels }} + - name: Get image tag for scanning + id: get-image-tag + run: | + IMAGE_TAG="${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${GITHUB_REF#refs/tags/}" + echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT + + - name: Run Trivy vulnerability scanner (json output) + uses: aquasecurity/trivy-action@0.32.0 + with: + image-ref: ${{ steps.get-image-tag.outputs.image_tag }} + format: json + output: trivy-results.json + scanners: vuln + + - name: Upload Trivy scan results to Security Agent + uses: hasura/security-agent-tools/upload-file@v1 + with: + file_path: trivy-results.json + security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} + tags: | + service=ndc-python-lambda + source_code_path=ndc-python-lambda + docker_file_path=Dockerfile + scanner=trivy + image_name=${{ steps.get-image-tag.outputs.image_tag }} + product_domain=hasura-ddn + team=platform + + - name: Fail build on High/Critical Vulnerabilities + uses: aquasecurity/trivy-action@0.32.0 + with: + skip-setup-trivy: true + image-ref: ${{ steps.get-image-tag.outputs.image_tag }} + format: table + severity: CRITICAL,HIGH + scanners: vuln + ignore-unfixed: true + exit-code: 1 + release-connector: name: Release connector runs-on: ubuntu-latest From 1829371cebcb1b353004e6b8de7cb08c5ddae3fa Mon Sep 17 00:00:00 2001 From: Shahidh Date: Wed, 4 Feb 2026 10:03:34 -0800 Subject: [PATCH 4/5] Update Trivy upload tags Co-Authored-By: Claude Opus 4.5 --- .github/workflows/ndc-python-lambda-connector.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ndc-python-lambda-connector.yaml b/.github/workflows/ndc-python-lambda-connector.yaml index 4ab92e9..d19bd3b 100644 --- a/.github/workflows/ndc-python-lambda-connector.yaml +++ b/.github/workflows/ndc-python-lambda-connector.yaml @@ -142,12 +142,12 @@ jobs: security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} tags: | service=ndc-python-lambda - source_code_path=ndc-python-lambda + source_code_path=. docker_file_path=Dockerfile scanner=trivy image_name=${{ steps.get-image-tag.outputs.image_tag }} - product_domain=hasura-ddn - team=platform + product_domain=hasura-ddn-data-plane,promptql-data-plane + team=engine - name: Fail build on High/Critical Vulnerabilities uses: aquasecurity/trivy-action@0.32.0 From 06b9072a1633934bd621251eea4f469c9a743670 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Wed, 4 Feb 2026 10:06:39 -0800 Subject: [PATCH 5/5] Add security scan job for PRs and branch pushes - New security-scan job runs on all PRs and branch pushes - Builds Docker image locally and scans with Trivy - Uploads results to Security Agent - Fails on HIGH/CRITICAL vulnerabilities Co-Authored-By: Claude Opus 4.5 --- .../ndc-python-lambda-connector.yaml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/.github/workflows/ndc-python-lambda-connector.yaml b/.github/workflows/ndc-python-lambda-connector.yaml index d19bd3b..a536f3b 100644 --- a/.github/workflows/ndc-python-lambda-connector.yaml +++ b/.github/workflows/ndc-python-lambda-connector.yaml @@ -85,6 +85,55 @@ jobs: path: ./connector-definition/dist compression-level: 0 # Already compressed + security-scan: + name: Build and scan Docker image + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + uses: docker/build-push-action@v6 + with: + context: . + load: true + tags: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} + + - name: Run Trivy vulnerability scanner (json output) + uses: aquasecurity/trivy-action@0.32.0 + with: + image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} + format: json + output: trivy-results.json + scanners: vuln + + - name: Upload Trivy scan results to Security Agent + uses: hasura/security-agent-tools/upload-file@v1 + with: + file_path: trivy-results.json + security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} + tags: | + service=ndc-python-lambda + source_code_path=. + docker_file_path=Dockerfile + scanner=trivy + image_name=${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} + product_domain=hasura-ddn-data-plane,promptql-data-plane + team=engine + + - name: Fail build on High/Critical Vulnerabilities + uses: aquasecurity/trivy-action@0.32.0 + with: + skip-setup-trivy: true + image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} + format: table + severity: CRITICAL,HIGH + scanners: vuln + ignore-unfixed: true + exit-code: 1 + build-and-push-docker: name: Build and push Docker image needs: build-connector