From 7a7010d000e3c6467e0c9e723756d772f057ff27 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Tue, 26 Aug 2025 11:19:18 -0300 Subject: [PATCH 1/4] feat: restructure devcontainers and improve CI #15 --- .devcontainer/auditor/Dockerfile | 143 ++++++++++++++ .devcontainer/auditor/devcontainer.json | 58 ++++++ .devcontainer/hardened/Dockerfile | 155 +++++++++++++++ .devcontainer/hardened/devcontainer.json | 95 +++++++++ .devcontainer/isolated/Dockerfile | 151 ++++++++++++++ .devcontainer/isolated/devcontainer.json | 117 +++++++++++ Dockerfile => .devcontainer/legacy/Dockerfile | 12 +- .devcontainer/{ => legacy}/devcontainer.json | 6 +- motd => .devcontainer/legacy/motd | 0 .devcontainer/minimal/Dockerfile | 153 ++++++++++++++ .devcontainer/minimal/devcontainer.json | 121 ++++++++++++ .github/workflows/main.yml | 135 +++++++++++++ README.md | 186 ++++++++++++++++-- 13 files changed, 1309 insertions(+), 23 deletions(-) create mode 100644 .devcontainer/auditor/Dockerfile create mode 100644 .devcontainer/auditor/devcontainer.json create mode 100644 .devcontainer/hardened/Dockerfile create mode 100644 .devcontainer/hardened/devcontainer.json create mode 100644 .devcontainer/isolated/Dockerfile create mode 100644 .devcontainer/isolated/devcontainer.json rename Dockerfile => .devcontainer/legacy/Dockerfile (95%) rename .devcontainer/{ => legacy}/devcontainer.json (98%) rename motd => .devcontainer/legacy/motd (100%) create mode 100644 .devcontainer/minimal/Dockerfile create mode 100644 .devcontainer/minimal/devcontainer.json create mode 100644 .github/workflows/main.yml diff --git a/.devcontainer/auditor/Dockerfile b/.devcontainer/auditor/Dockerfile new file mode 100644 index 0000000..f7c865b --- /dev/null +++ b/.devcontainer/auditor/Dockerfile @@ -0,0 +1,143 @@ +# syntax=docker/dockerfile:1.10.0 +# check=error=true +# +# AUDITOR TRG DevContainer Dockerfile +# This Dockerfile creates a specialized development environment for smart contract auditing +# with focused tooling, Docker-in-Docker support, and comprehensive security analysis tools. +# +# Key features: +# - Multi-stage build for Echidna binary +# - Specialized audit tools (slither, mythril, crytic-compile) +# - Foundry framework for testing and interaction +# - Hardhat for development workflows +# - Docker-in-Docker support for containerized tools + +# Pull latest Echidna prebuilt image from Crytic +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna AS echidna + +# Base image: Debian 12 (Bookworm) with VS Code DevContainer support +# This provides a stable, development-focused base for auditing work +FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm + +# Switch to root user temporarily for system package installation +USER root + +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + + + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} + +# Install Python 3.12 with uv +RUN uv python install 3.12 + +# Set the default shell to zsh for better development experience +ENV SHELL=/usr/bin/zsh + +# Running everything under zsh for consistency and features +SHELL ["/usr/bin/zsh", "-ic"] + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Go is required for various Web3 tools and Foundry framework +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env + +# Switch to root user temporarily for Node.js installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development and Hardhat +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +RUN chown -R vscode:vscode ${HOME}/.npm + +# Switch back to vscode user for security +USER vscode + +# Install Foundry framework for Ethereum development and testing +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +# Essential for smart contract development and testing during audits +RUN curl -L https://foundry.paradigm.xyz | zsh +RUN foundryup + +# Install Python-based security analysis tools for auditing +# These tools provide comprehensive smart contract security analysis +# Focused on core auditing tools: slither, mythril, crytic-compile +RUN uv tool install slither-analyzer && \ + uv tool install mythril && \ + uv tool install crytic-compile + +# Install Hardhat and Solhint for Ethereum development +# Hardhat is a popular development environment, Solhint provides linting +RUN pnpm install -g hardhat solhint + +# Copy prebuilt Echidna binary from echidna stage to final image +# This provides the prebuilt Echidna tool without rebuilding +COPY --chown=vscode:vscode --from=echidna /usr/local/bin/echidna ${HOME}/.local/bin/echidna +RUN chmod 755 ${HOME}/.local/bin/echidna + +# Switch to non-root user for final setup +USER vscode + +# Set up user environment with Foundry path +# Ensure Foundry tools are available in the user's shell +RUN echo 'export PATH="/usr/local/foundry/bin:$PATH"' >> /home/vscode/.zshrc + +# Switch to root for system cleanup +USER root + +# Clean up package cache and temporary files +# This reduces image size and improves security +RUN apt-get autoremove -y && apt-get clean -y + +# Final switch to vscode user for development +USER vscode \ No newline at end of file diff --git a/.devcontainer/auditor/devcontainer.json b/.devcontainer/auditor/devcontainer.json new file mode 100644 index 0000000..8e74da2 --- /dev/null +++ b/.devcontainer/auditor/devcontainer.json @@ -0,0 +1,58 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is the AUDITOR version of TRG's DevContainer - specialized for smart contract auditing + // with Docker-in-Docker support, specialized audit extensions, and focused tooling for + // comprehensive security analysis and code review. + "name": "Auditor TRG's DevContainer", + + // Build configuration - uses the local Dockerfile in this directory + "build": { + "dockerfile": "./Dockerfile" + }, + + // Features to add to the dev container. More info: https://containers.dev/features. + // Specialized features for auditing and development workflows + "features": { + "ghcr.io/devcontainers/features/git:1": {}, // Git version control support + "ghcr.io/devcontainers/features/github-cli:1": {}, // GitHub CLI for repository management + "ghcr.io/devcontainers/features/docker-in-docker:2.12.2": { // Docker-in-Docker for containerized tools + "version": "latest", // Use latest stable version + "enableNonRootDocker": "true" // Enable non-root Docker for security + } + }, + + // Configure tool-specific properties for VS Code + "customizations": { + "vscode": { + // Specialized extensions for smart contract auditing and development + "extensions": [ + "NomicFoundation.hardhat-solidity", // Hardhat Solidity support + "tintinweb.solidity-visual-auditor", // Visual auditor for Solidity contracts + "tintinweb.solidity-metrics", // Code metrics and analysis + "trailofbits.weaudit", // Trail of Bits audit tools + "eamodio.gitlens", // Enhanced Git integration + "streetsidesoftware.code-spell-checker", // Code spelling and grammar + "ms-vscode.vscode-json", // JSON language support + "tintinweb.chonky" // File explorer enhancements + ], + // VS Code settings optimized for auditing workflows + "settings": { + "terminal.integrated.defaultProfile.linux": "bash", // Use bash for compatibility + "solidity-va.hover": true, // Enable Solidity hover information + "solidity-va.diagnostics": true // Enable Solidity diagnostics + } + } + }, + + // Use vscode user for security (non-root execution) + "remoteUser": "vscode", + + // Mount configuration for workspace access + // Bind mount from host for persistent development + "mounts": [ + "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached" + ], + + // Workspace configuration - mounted from host + "workspaceFolder": "/workspace" +} \ No newline at end of file diff --git a/.devcontainer/hardened/Dockerfile b/.devcontainer/hardened/Dockerfile new file mode 100644 index 0000000..5278264 --- /dev/null +++ b/.devcontainer/hardened/Dockerfile @@ -0,0 +1,155 @@ +# syntax=docker/dockerfile:1.8 +# check=error=true +# +# HARDENED TRG DevContainer Dockerfile +# This Dockerfile creates a security-hardened development environment for Web3 security research +# with enhanced security features, capability dropping, and minimal attack surface. +# +# Key security features: +# - Multi-stage build for Echidna binary +# - Non-root user execution +# - Minimal package installation +# - Security-hardened toolchain +# - Reduced tool set for security focus + +## Multi-stage build for Echidna +# Pull latest prebuilt Echidna binary from Crytic's official image +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna + +# Base image: Latest Debian with VS Code DevContainer support +# This provides a stable, security-focused base for development +FROM mcr.microsoft.com/devcontainers/base:bookworm + +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + + + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} + +# Install Python 3.12 with uv +RUN uv python install 3.12 + +# Set the default shell execution for subsequent RUN commands +# Use zsh for better shell features and compatibility +ENV SHELL=/usr/bin/zsh +SHELL ["/bin/zsh", "-ic"] + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +ENV PATH="$HOME/.cargo/bin:$PATH" + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Set asdf manager version for reproducibility +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Switch to root user temporarily for Node.js installation +# Some tools require root access for system-wide installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +RUN chown -R vscode:vscode ${HOME}/.npm + +# Switch back to vscode user for security +USER vscode +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${PNPM_HOME} + +# Install Foundry framework for Ethereum development +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +RUN curl -fsSL https://foundry.paradigm.xyz | zsh && \ + echo 'export PATH="$HOME/.foundry/bin:$PATH"' >> ~/.zshrc && \ + export PATH="$HOME/.foundry/bin:$PATH" && \ + ~/.foundry/bin/foundryup + +# Install Hardhat globally for Ethereum development framework +# Hardhat is a popular development environment for Ethereum +RUN pnpm install hardhat -g + +# Build and install Medusa fuzzing tool +# Medusa is a fuzzing tool for smart contracts, similar to Echidna +WORKDIR $HOME/medusa +RUN git clone https://github.com/crytic/medusa $HOME/medusa && \ + export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]+-gw+$//')" && \ + git checkout "$LATEST_TAG" && \ + go build -trimpath -o=$HOME/.local/bin/medusa -ldflags="-s -w" && \ + chmod 755 $HOME/.local/bin/medusa + +# Return to home directory and clean up build artifacts +WORKDIR $HOME +RUN rm -rf medusa/ + +# Install Python-based security analysis tools (reduced set for security focus) +# These tools provide essential smart contract security analysis +# Focused on core tools: slither, mythril, crytic-compile, halmos, solc-select +RUN uv tool install slither-analyzer && \ + uv tool install crytic-compile && \ + uv tool install slither-lsp && \ + uv tool install mythril && \ + uv tool install halmos && \ + uv tool install solc-select && \ + solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest + +# Copy Echidna binary from echidna stage to final image +# This provides the prebuilt Echidna tool without rebuilding +USER root +COPY --from=echidna /usr/local/bin/echidna /usr/local/bin/echidna +RUN chmod 755 /usr/local/bin/echidna + +# Final setup and verification +USER vscode +RUN echo 'Development environment ready!' && \ +echo 'Tools installed:' && \ + ls -la $HOME/.local/bin/ || true + +# Set working directory to workspace for development +WORKDIR /workspace \ No newline at end of file diff --git a/.devcontainer/hardened/devcontainer.json b/.devcontainer/hardened/devcontainer.json new file mode 100644 index 0000000..67d1b07 --- /dev/null +++ b/.devcontainer/hardened/devcontainer.json @@ -0,0 +1,95 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is the HARDENED version of TRG's DevContainer - provides enhanced security + // with capability dropping, security options, and resource limits while maintaining + // network connectivity for development. + "name": "Hardened TRG's DevContainer", + + // Build configuration - uses the local Dockerfile in this directory + "build": { + "dockerfile": "Dockerfile" + }, + + // Use vscode user for security (non-root execution) + "remoteUser": "vscode", + + // Features to add to the dev container. More info: https://containers.dev/features. + // Git and GitHub CLI features for version control and GitHub integration + "features": { + "ghcr.io/devcontainers/features/git:1": {}, + "ghcr.io/devcontainers/features/github-cli:1": {} + }, + + // Container environment variables + "containerEnv": { + "SHELL": "/bin/zsh", // Use zsh as the default shell + "DEVCONTAINER_ID_LABEL": "hardened-web3-devcontainer" // Label for container identification + }, + + // Configure tool-specific properties for VS Code + "customizations": { + "vscode": { + // Web3 security and development extensions + "extensions": [ + "tintinweb.ethereum-security-bundle", // Comprehensive Ethereum security tools + "tintinweb.vscode-ethover", // Ethereum hover information + "trailofbits.weaudit", // Trail of Bits audit tools + "tintinweb.vscode-inline-bookmarks", // Inline code bookmarks + "tintinweb.vscode-solidity-language", // Solidity language support + "tintinweb.graphviz-interactive-preview", // Graph visualization + "trailofbits.contract-explorer", // Smart contract exploration + "tintinweb.vscode-decompiler" // Contract decompilation + ], + // VS Code settings for security and functionality + "settings": { + "terminal.integrated.defaultProfile.linux": "zsh", // Default terminal shell + "terminal.integrated.profiles.linux": { + "zsh": { + "path": "/bin/zsh" + } + }, + "task.autoDetect": "off", // Disable automatic task detection for security + "task.allowAutomaticTasks": "off", // Prevent automatic task execution + "security.workspace.trust.enabled": false, // Disable workspace trust by default + "telemetry.telemetryLevel": "off" // Disable telemetry collection + } + } + }, + + // Commands to run during container lifecycle + "initializeCommand": "echo 'Initializing hardened dev container...'", + "postStartCommand": "echo 'πŸš€ Dev container is ready for Web3 development!'", + + // Workspace configuration - mounted from host with caching + "workspaceFolder": "/workspace", + // Mount workspace from host with consistency caching for performance + "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", + + // Docker run arguments for security hardening + "runArgs": [ + // Security hardening - drop all Linux capabilities + "--cap-drop=ALL", + + // Security options for container isolation + "--security-opt", + "no-new-privileges:true", // Prevent privilege escalation + "--security-opt", + "apparmor=docker-default", // Use Docker's default AppArmor profile + "--security-opt", + "seccomp=unconfined", // Disable seccomp for compatibility + + // DNS configuration for security and reliability + "--dns=1.1.1.1", // Use Cloudflare's secure DNS + "--dns=1.0.0.1", // Secondary DNS for redundancy + + // Temporary filesystem mounts with security restrictions + "--tmpfs", + "/tmp:rw,noexec,nosuid,size=512m", // Temporary directory with size limit + "--tmpfs", + "/var/tmp:rw,noexec,nosuid,size=512m", // System temp directory with size limit + + // Resource limits for container performance and security + "--memory=1024m", // Limit memory to 1GB + "--cpus=2" // Limit to 2 CPU cores + ] +} \ No newline at end of file diff --git a/.devcontainer/isolated/Dockerfile b/.devcontainer/isolated/Dockerfile new file mode 100644 index 0000000..cdf4868 --- /dev/null +++ b/.devcontainer/isolated/Dockerfile @@ -0,0 +1,151 @@ +# syntax=docker/dockerfile:1.8 +# check=error=true +# +# ISOLATED TRG DevContainer Dockerfile +# This Dockerfile creates a highly isolated development environment for Web3 security research +# with maximum security isolation, read-only filesystem, and network isolation. +# +# Key security features: +# - Non-root user execution +# - Minimal package installation +# - Security-hardened toolchain + +## Multi-stage build for Echidna +# Pull latest prebuilt Echidna binary from Crytic's official image +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna + +# Base image: Latest Debian with VS Code DevContainer support +# This provides a stable, security-focused base for development +FROM mcr.microsoft.com/vscode/devcontainers/base:debian + +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} + +# Install Python 3.12 with uv +RUN uv python install 3.12 + +# Set the default shell execution for subsequent RUN commands +# Use zsh for better shell features and compatibility +ENV SHELL=/usr/bin/zsh +SHELL ["/bin/zsh", "-ic"] + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +ENV PATH="$HOME/.cargo/bin:$PATH" + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Set asdf manager version for reproducibility +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Switch to root user temporarily for Node.js installation +# Some tools require root access for system-wide installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +RUN chown -R vscode:vscode ${HOME}/.npm + +# Switch back to vscode user for security +USER vscode +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${PNPM_HOME} + +# Install Python-based security analysis tools (reduced set for security focus) +# These tools provide essential smart contract security analysis +# Focused on core tools: slither, mythril, crytic-compile, halmos, solc-select +RUN uv tool install slither-analyzer && \ + uv tool install crytic-compile && \ + uv tool install slither-lsp && \ + uv tool install mythril && \ + uv tool install halmos && \ + uv tool install solc-select && \ + solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest + +# Install Foundry framework for Ethereum development +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +RUN curl -fsSL https://foundry.paradigm.xyz | zsh && \ + echo 'export PATH="$HOME/.foundry/bin:$PATH"' >> ~/.zshrc && \ + export PATH="$HOME/.foundry/bin:$PATH" && \ + ~/.foundry/bin/foundryup + +# Install Hardhat globally for Ethereum development framework +# Hardhat is a popular development environment for Ethereum +RUN pnpm install hardhat -g + +# Build and install Medusa fuzzing tool +# Medusa is a fuzzing tool for smart contracts, similar to Echidna +WORKDIR $HOME/medusa +RUN git clone https://github.com/crytic/medusa $HOME/medusa && \ + export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]+-gw+$//')" && \ + git checkout "$LATEST_TAG" && \ + go build -trimpath -o=$HOME/.local/bin/medusa -ldflags="-s -w" && \ + chmod 755 $HOME/.local/bin/medusa + +# Return to home directory and clean up build artifacts +WORKDIR $HOME +RUN rm -rf medusa/ + +# Copy Echidna binary from echidna stage to final image +# This provides the prebuilt Echidna tool without rebuilding +USER root +COPY --from=echidna /usr/local/bin/echidna /usr/local/bin/echidna +RUN chmod 755 /usr/local/bin/echidna + +# Final setup and verification +USER vscode +RUN echo 'Development environment ready!' && \ +echo 'Tools installed:' && \ + ls -la $HOME/.local/bin/ || true + +# Set working directory to workspace for development +WORKDIR /workspace \ No newline at end of file diff --git a/.devcontainer/isolated/devcontainer.json b/.devcontainer/isolated/devcontainer.json new file mode 100644 index 0000000..220be9d --- /dev/null +++ b/.devcontainer/isolated/devcontainer.json @@ -0,0 +1,117 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is the ISOLATED version of TRG's DevContainer - provides maximum security isolation + // with a read-only filesystem and network isolation for high-security Web3 development. + "name": "Isolated TRG's DevContainer", + + // Build configuration - uses the local Dockerfile in this directory + "build": { + "dockerfile": "Dockerfile" + }, + + // Use vscode user for security (non-root execution) + "remoteUser": "vscode", + + // Features to add to the dev container. More info: https://containers.dev/features. + // Git and GitHub CLI features for version control and GitHub integration + "features": { + "ghcr.io/devcontainers/features/git:1": {}, + "ghcr.io/devcontainers/features/github-cli:1": {} + }, + + // Container environment variables + "containerEnv": { + "SHELL": "/bin/zsh", // Use zsh as the default shell + "DEVCONTAINER_ID_LABEL": "isolated-web3-devcontainer" // Label for container identification + }, + + // Configure tool-specific properties for VS Code + "customizations": { + "vscode": { + // Web3 security and development extensions + "extensions": [ + "tintinweb.ethereum-security-bundle", // Comprehensive Ethereum security tools + "tintinweb.vscode-ethover", // Ethereum hover information + "trailofbits.weaudit", // Trail of Bits audit tools + "tintinweb.vscode-inline-bookmarks", // Inline code bookmarks + "tintinweb.vscode-solidity-language", // Solidity language support + "tintinweb.graphviz-interactive-preview", // Graph visualization + "trailofbits.contract-explorer", // Smart contract exploration + "tintinweb.vscode-decompiler" // Contract decompilation + ], + // VS Code settings for security and functionality + "settings": { + "terminal.integrated.defaultProfile.linux": "zsh", // Default terminal shell + "terminal.integrated.profiles.linux": { + "zsh": { + "path": "/bin/zsh" + } + }, + "task.autoDetect": "off", // Disable automatic task detection for security + "task.allowAutomaticTasks": "off", // Prevent automatic task execution + "security.workspace.trust.enabled": false, // Disable workspace trust by default + "telemetry.telemetryLevel": "off" // Disable telemetry collection + } + } + }, + + // Commands to run during container lifecycle + "initializeCommand": "echo 'Initializing isolated dev container...'", + "postStartCommand": "echo 'πŸš€ Dev container is ready for Web3 development!'", + + // Workspace configuration - isolated within container + "workspaceFolder": "/workspace", + // Mount workspace as tmpfs for complete isolation - no host file access + "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777", + + // Docker run arguments for security and isolation + "runArgs": [ + // Security hardening - drop all Linux capabilities + "--cap-drop=ALL", + + // Read-only filesystem for maximum security + "--read-only", + + // Security options for container isolation + "--security-opt", + "no-new-privileges:true", // Prevent privilege escalation + "--security-opt", + "apparmor=docker-default", // Use Docker's default AppArmor profile + "--security-opt", + "seccomp=unconfined", // Disable seccomp for compatibility + + // Network isolation - completely disconnect from internet + "--network=none", + + // Essential writable tmpfs mounts for VS Code functionality + // These are required for VS Code Server to work properly + "--tmpfs", + "/home/vscode/.vscode-server:rw,noexec,nosuid,size=512m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.vscode-server-insiders:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.cache:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.config:rw,noexec,nosuid,size=128m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.local:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + + // System temporary directories with size limits + "--tmpfs", + "/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs", + "/var/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs", + "/var/log:rw,noexec,nosuid,size=128m", + "--tmpfs", + "/run:rw,noexec,nosuid,size=128m", + + // Git configuration storage + "--tmpfs", + "/home/vscode/.gitconfig:rw,noexec,nosuid,size=1m,uid=1000,gid=1000", + + // Resource limits for container performance + "--memory=1g", // Limit memory to 1GB + "--cpus=2" // Limit to 2 CPU cores + ] +} \ No newline at end of file diff --git a/Dockerfile b/.devcontainer/legacy/Dockerfile similarity index 95% rename from Dockerfile rename to .devcontainer/legacy/Dockerfile index 63a7aed..a15aa4a 100644 --- a/Dockerfile +++ b/.devcontainer/legacy/Dockerfile @@ -6,20 +6,15 @@ # TODO: "Ensure the base image uses a non latest version tag" FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna -# Grab at least python 3.12 -FROM python:3.12-slim as python-base - # Base debian build (latest). FROM mcr.microsoft.com/vscode/devcontainers/base:debian # Switch to root (the default might be root anyway) USER root -COPY --from=python-base /usr/local /usr/local - # Super basic stuff to get everything started RUN apt-get update -y && apt-get install -y \ - zsh python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ + zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ --no-install-recommends # The base container usually has a β€œvscode” user. If not, create one here. @@ -39,6 +34,9 @@ ENV LOCAL_BIN=${HOME}/.local/bin ENV PNPM_HOME=${HOME}/.local/share/pnpm ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} +# Configure pip to allow system packages in container environment +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + # Install uv RUN python3 -m pip install --no-cache-dir --upgrade uv @@ -164,4 +162,4 @@ USER vscode # Example HEALTHCHECK, we don't need once since we're not using services. If you add services in the future, you would need to add "something" like this: HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 CMD \ - zsh -c 'command -v echidna && command -v medusa && command -v slither && command -v solc && echo "OK" || exit 1' + zsh -c 'command -v echidna && command -v medusa && command -v slither && command -v solc && echo "OK" || exit 1' \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/legacy/devcontainer.json similarity index 98% rename from .devcontainer/devcontainer.json rename to .devcontainer/legacy/devcontainer.json index 7958b54..bece536 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/legacy/devcontainer.json @@ -1,13 +1,13 @@ { // For format details, see https://aka.ms/devcontainer.json. - "name": "TRG's DevContainer", + "name": "Legacy TRG's DevContainer", // You can use image or directly use a Dockerfile or Docker Compose file. // More info: https://containers.dev/guide/dockerfile // https://github.com/devcontainers/images/tree/main/src/base-alpine // "image": "mcr.microsoft.com/devcontainers/base:debian", "build": { - "dockerfile": "../Dockerfile" + "dockerfile": "./Dockerfile" }, // In this case this is redundant, because we are using the default user. @@ -97,4 +97,4 @@ // "postCreateCommand": "" // Use 'postAttachCommand' to attach a command after the container is opened. // "postAttachCommand": "zsh" -} +} \ No newline at end of file diff --git a/motd b/.devcontainer/legacy/motd similarity index 100% rename from motd rename to .devcontainer/legacy/motd diff --git a/.devcontainer/minimal/Dockerfile b/.devcontainer/minimal/Dockerfile new file mode 100644 index 0000000..3283d23 --- /dev/null +++ b/.devcontainer/minimal/Dockerfile @@ -0,0 +1,153 @@ +# syntax=docker/dockerfile:1.8 +# check=error=true +# +# MINIMAL TRG DevContainer Dockerfile +# This Dockerfile creates a minimal development environment for Web3 development +# with essential tools, basic security features, and a streamlined toolchain. +# +# Key features: +# - Multi-stage build for Echidna binary +# - Essential development tools only +# - Basic security hardening +# - Minimal attack surface +# - Focused on core Web3 development needs + +## Multi-stage build for Echidna +# Pull latest prebuilt Echidna binary from Crytic's official image +# TODO: "Ensure the base image uses a non latest version tag" +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna + +# Base debian build (latest). +# Use Debian base image for stability and compatibility +FROM mcr.microsoft.com/vscode/devcontainers/base:debian + +# Switch to root (the default might be root anyway) +# Root access is needed for system package installation +USER root + +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + + + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} + +# Install Python 3.12 with uv +RUN uv python install 3.12 + +# Set the default shell to zsh +# zsh provides better shell features and development experience +ENV SHELL=/usr/bin/zsh + +# Running everything under zsh for consistency and features +SHELL ["/usr/bin/zsh", "-ic"] + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Go is required for various Web3 tools and Foundry framework +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env + +# Switch to root user temporarily for Node.js installation +# Some tools require root access for system-wide installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash + +# Switch back to vscode user for security +USER vscode + +# Install Hardhat globally for Ethereum development framework +# Hardhat is a popular development environment for Ethereum +RUN pnpm install hardhat -g + +# Python installations - minimal set for essential development +# Install only the core tools needed for basic Web3 development +# Install vyper and solc-select for smart contract development +RUN uv tool install vyper && \ + uv tool install solc-select && \ + solc-select install 0.8.10 latest && \ + solc-select use latest + +# Install Foundry framework for Ethereum development +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +## Foundry framework +RUN curl -fsSL https://foundry.paradigm.xyz | zsh +RUN foundryup + +# Switch to root user for system-level operations +# Do some things as root for system configuration +USER root + +# Add shell completions for Foundry tools +# This provides better user experience with tab completion +## Add completions for medusa, anvil, cast, forge. +RUN mkdir -p /usr/share/zsh/site-functions && \ + for tool in anvil cast forge; do \ + "$tool" completions zsh > /usr/share/zsh/site-functions/_$tool; \ + done + +# Clean up package cache and temporary files +# This reduces image size and improves security +## Clean +RUN apt-get autoremove -y && apt-get clean -y + +# Switch back to vscode user for development +## back to user! +USER vscode + +# Health check for container monitoring +# Example HEALTHCHECK, we don't need once since we're not using services. +# If you add services in the future, you would need to add "something" like this: +HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 CMD \ + zsh -c 'command -v forge && command -v solc && echo "OK" || exit 1' \ No newline at end of file diff --git a/.devcontainer/minimal/devcontainer.json b/.devcontainer/minimal/devcontainer.json new file mode 100644 index 0000000..d84d413 --- /dev/null +++ b/.devcontainer/minimal/devcontainer.json @@ -0,0 +1,121 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is the MINIMAL version of TRG's DevContainer - provides essential security isolation + // with a balanced approach between security and usability for Web3 development. + "name": "Minimal TRG's DevContainer", + + // You can use image or directly use a Dockerfile or Docker Compose file. + // More info: https://containers.dev/guide/dockerfile + // https://github.com/devcontainers/images/tree/main/src/base-alpine + // "image": "mcr.microsoft.com/devcontainers/base:debian", + "build": { + "dockerfile": "./Dockerfile" + }, + + // In this case this is redundant, because we are using the default user. + // The vscode user is the default in VS Code DevContainers + //"remoteUser": "vscode", + + // Features to add to the dev container. More info: https://containers.dev/features. + // Currently no additional features are enabled for minimal configuration + "features": { + // "ghcr.io/devcontainers/features/docker-in-docker:2": { + // "version": "latest", + // "moby": true + // } + }, + + // Mount isolation configuration for security and development workflow + // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. + // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. + // Disables mounting the host workspace into the container for isolation. + "workspaceMount": "type=tmpfs,destination=/workspace", + // Sets a workspace path entirely isolated within the container + "workspaceFolder": "/workspace", + + // Docker run arguments for security hardening and resource management + "runArgs": [ + // Read only filesystem except for explicitly writable volumes (check mounts) + // For a dev environment this is more a hussle than a feature. + // "--read-only", + + // Temporary filesystem mounts with security restrictions + // These provide isolated, size-limited temporary storage + "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory + "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory + "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory + + // Security hardening - drop all Linux capabilities + // This reduces the attack surface by removing unnecessary privileges + "--cap-drop=ALL", + + // Security options for container isolation + // A few security additions (AppArmor & no new privileges) + "--security-opt", "no-new-privileges", // Prevent privilege escalation + "--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile + + // Use seccomp's default security profile + // seccomp provides system call filtering for additional security + // "--security-opt", "seccomp=default", + + // Network security configuration + // If you really want to isolate it, just disconnect it from the internet. + // You should COPY your working files inside before, otherwise you'll have to mount them manually. + // "--network=none", + + // IPv6 security - disable IPv6 to reduce attack surface + "--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 globally + "--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default + + // Network capability restrictions + "--cap-drop=NET_RAW", // Disable raw packet access + "--network=bridge", // Use bridge networking + + // DNS configuration for security and reliability + "--dns=1.1.1.1", // Primary DNS (Cloudflare) + "--dns=1.0.0.1", // Secondary DNS (Cloudflare) + + // Resource limits for container performance and security + // Play a little bit with resources to prevent resource exhaustion + // "--memory=512m", // Memory limit (commented out) + // "--cpus=2" // CPU limit (commented out) + ], + + // Writable mounts in case you want to set --read-only above. + // Currently no additional mounts are configured + "mounts": [ + ], + + + // Configure tool-specific properties for VS Code + "customizations": { + // Configure properties specific to VS Code. + "vscode": { + "settings": { + // Security settings - killswitch for automated tasks + "task.autoDetect": "off", // Disable automatic task detection + "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers + + // Trust and security configuration + "security.workspace.trust.enabled": false, // Trust no one by default + + // Privacy settings - killswitch for telemetry + "telemetry.telemetryLevel": "off", // Disable all telemetry collection + + // Terminal configuration + "terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default + "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } + // Using bash might be more safe and stable, but zsh provides better features + }, + "extensions": [ + // Minimal set of essential extensions for Web3 development + "NomicFoundation.hardhat-solidity", // Hardhat Solidity support + "tintinweb.solidity-visual-auditor" // Solidity visual auditor + ] + } + } + // Use 'postCreateCommand' to run commands after the container is created. + // "postCreateCommand": "" + // Use 'postAttachCommand' to attach a command after the container is opened. + // "postAttachCommand": "zsh" + } \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..88d4919 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,135 @@ +name: Prebuilt Dev Containers - Build & Smoke Test + +on: + push: + branches: [ main, develop ] + paths: + - '.devcontainer/**' + - '.github/workflows/main.yml' + pull_request: + paths: + - '.devcontainer/**' + - '.github/workflows/main.yml' + workflow_dispatch: + +jobs: + build-and-test: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + subFolder: + - .devcontainer/auditor + - .devcontainer/minimal + - .devcontainer/legacy + - .devcontainer/hardened + - .devcontainer/isolated + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Determine if this devcontainer changed + id: changed + run: | + set -e + FOLDER="${{ matrix.subFolder }}" + if [ "${{ github.event_name }}" = "pull_request" ]; then + git fetch origin "${{ github.base_ref }}" --depth=1 + BASE=$(git merge-base FETCH_HEAD HEAD) + if git diff --name-only "$BASE" HEAD -- "$FOLDER/" | grep .; then + echo "changed=true" >> $GITHUB_OUTPUT + else + echo "changed=false" >> $GITHUB_OUTPUT + fi + else + BEFORE="${{ github.event.before }}" + if [ -n "$BEFORE" ]; then + if git diff --name-only "$BEFORE" "${{ github.sha }}" -- "$FOLDER/" | grep .; then + echo "changed=true" >> $GITHUB_OUTPUT + else + echo "changed=false" >> $GITHUB_OUTPUT + fi + else + # Fallback: if we cannot determine before SHA, run the test + echo "changed=true" >> $GITHUB_OUTPUT + fi + fi + + - name: No changes in this devcontainer β€” skipping + if: steps.changed.outputs.changed != 'true' + run: echo "No changes detected in ${{ matrix.subFolder }}; skipping build." + + - name: Check devcontainer config exists + id: check + if: steps.changed.outputs.changed == 'true' + run: | + if [ -f "${{ matrix.subFolder }}/devcontainer.json" ]; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + echo "Skipping: ${{ matrix.subFolder }}/devcontainer.json does not exist." + fi + + - name: Build and run devcontainer + if: steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: echo "Devcontainer OK in ${{ matrix.subFolder }}" && uname -a + push: never + + - name: Test Minimal Tools + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: | + echo "πŸ§ͺ Testing Foundry installation and functionality..." + foundryup --version || echo "❌ Foundry not found" + forge --version || echo "❌ Forge not found" + cast --version || echo "❌ Cast not found" + anvil --version || echo "❌ Anvil not found" + echo "βœ… Foundry tools verification completed" + push: never + + - name: Test Auditor Tools + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && contains(fromJSON('[".devcontainer/auditor", ".devcontainer/hardened", ".devcontainer/isolated"]'), matrix.subFolder) + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: | + echo "πŸ§ͺ Testing Auditor tools..." + slither --version || echo "❌ Slither not found" + myth --version || echo "❌ Mythril not found" + echidna --version || echo "❌ Echidna not found" + echo "βœ… Auditor tools verification completed" + push: never + + - name: Test Isolation + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && matrix.subFolder == '.devcontainer/isolated' + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: | + echo "πŸ§ͺ Testing Isolation..." + if (touch /test.txt); then echo "❌ Filesystem is not read-only"; exit 1; else echo "βœ… Filesystem is read-only"; fi + if (curl -sS https://www.google.com); then echo "❌ Network is not isolated"; exit 1; else echo "βœ… Network is isolated"; fi + echo "βœ… Isolation verification completed" + push: never + + - name: Purge Docker cache and resources (on success) + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' + run: | + echo "Pruning Docker resources to free memory and disk..." + docker system prune -af --volumes || true + docker builder prune -af || true + docker system df || true \ No newline at end of file diff --git a/README.md b/README.md index 3a9518c..b6e40e8 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,69 @@ install the most popular tools, so they can all work seamlessly, and at the same by default. If you want to know more, and really want to take advante of this devcontainer read below. -There's also a minimized version under the `minimal` branch. +## Available Devcontainer Variants + +We now offer multiple devcontainer configurations to suit different security and development needs: + +### **Isolated** (`.devcontainer/isolated/`) +**Best for**: Maximum security isolation, air-gapped environments +- **Focus**: Complete isolation with read-only filesystem and network isolation +- **Includes**: All security tools, fuzzing tools (Echidna, Medusa), static analysis +- **Security**: Read-only filesystem, network isolation, capability dropping, tmpfs mounts +- **Extensions**: Comprehensive Ethereum security bundle, audit tools, decompilers +- **Use case**: High-security research and isolated analysis + +### **Hardened** (`.devcontainer/hardened/`) +**Best for**: Enhanced security with development flexibility +- **Focus**: Security hardening with maintained network connectivity +- **Includes**: Core security tools, Foundry, Hardhat, reduced tool set for security focus +- **Security**: Capability dropping, security options, resource limits, DNS hardening +- **Extensions**: Essential security extensions, development tools +- **Use case**: Secure development, security-focused research, balanced security/functionality + +### **Auditor** (`.devcontainer/auditor/`) +**Best for**: Smart contract auditors and security researchers +- **Focus**: Specialized audit tooling and Docker-in-Docker support +- **Includes**: Slither, Mythril, Crytic-compile, Foundry, Hardhat, Echidna +- **Features**: Docker-in-Docker, specialized audit extensions, focused toolchain +- **Extensions**: Solidity visual auditor, metrics, audit tools, GitLens +- **Use case**: Comprehensive smart contract audits, security analysis, research workflows + +### **Minimal** (`.devcontainer/minimal/`) +**Best for**: Essential development with basic security +- **Focus**: Core tools only, streamlined development environment +- **Includes**: Foundry, Hardhat, basic Solidity support, essential Python tools +- **Security**: Basic hardening, capability dropping, IPv6 disabled +- **Extensions**: Core development extensions only +- **Use case**: Quick prototyping, learning, basic development, resource-constrained environments + +### **Legacy** (`.devcontainer/legacy/`) +**Best for**: Complete toolchain with all features (original experience) +- **Focus**: Full-featured development environment with comprehensive security tools +- **Includes**: Complete tool suite, all security tools, fuzzing tools, analysis tools +- **Security**: Comprehensive hardening, isolation features, security options +- **Extensions**: Full extension suite, all security and development tools +- **Use case**: Comprehensive development, learning, full-stack projects, research + +## Project Structure + +The project supports multiple devcontainer configurations for different use cases: + +``` +.devcontainer/ +β”œβ”€β”€ isolated/ # Maximum security isolation +β”œβ”€β”€ hardened/ # Enhanced security with flexibility +β”œβ”€β”€ auditor/ # Specialized audit environment +β”œβ”€β”€ minimal/ # Essential tools only +└── legacy/ # Complete toolchain (original) +``` + +## Quick Start + +1. **Choose your variant** based on your needs (see above) +2. **Navigate to the variant directory**: `cd .devcontainer/[variant-name]` +3. **Open in VS Code**: `code .` +4. **Reopen in Container**: Select the appropriate devcontainer when prompted ## Requirements @@ -19,15 +81,19 @@ There's also a minimized version under the `minimal` branch. ## Kick-off -1. Start the docker service, and make sure your user is in the `docker` group. Otherwise, add +1. **Start the docker service**, and make sure your user is in the `docker` group. Otherwise, add yourself to it but you'll have to log in back again. -2. Clone this repo, if you want a minimal version checkout `minimal`. -3. Open the folder with **vscode** how you like. Running `code .` works well. -4. Select **Reopen in Container** and wait. This will build the container volume. -5. If this is your first time, you'll be prompted to press enter on a console log that triggers the -terminal. -6. If not you can go to the extensions section on your side, click the **Remote Explorer** tab and -select the active devcontainer. +2. **Clone this repo** and navigate to your preferred devcontainer variant: + ```bash + git clone + cd .devcontainer/[auditor|minimal|legacy-theredguild|legacy-minimal] + ``` +3. **Open the variant folder with VS Code**: Running `code .` works well. +4. **Select "Reopen in Container"** and wait. This will build the container volume. +5. **First time setup**: If this is your first time, you'll be prompted to press enter on a console log that triggers the terminal. +6. **Subsequent uses**: Go to the extensions section, click the **Remote Explorer** tab and select the active devcontainer. + +> **Pro Tip**: Each variant has its own configuration, so you can switch between them by opening different variant folders in VS Code. ## Usage @@ -40,6 +106,8 @@ can access several features: ## Features Overview +> **Note**: The features listed below are primarily for the **Legacy The Red Guild** variant. Each variant has its own tailored set of features. Check the specific variant's configuration for details. + ### Extensions - JuanBlanco.solidity @@ -268,6 +336,28 @@ Currently semgrep supports [Solidity](https://semgrep.dev/docs/language-support/ $ semgrep --config p/smart-contracts path/to/your/project ``` +## Contributing + +### Adding New Variants + +To add a new devcontainer variant: + +1. **Create a new directory** in `.devcontainer/` +2. **Add your configuration files**: + - `Dockerfile` (if custom build needed) + - `devcontainer.json` (required) + - Any additional configuration files +3. **Update the CI workflow** in `.github/workflows/main.yml` to include your variant +4. **Test locally** before submitting a PR +5. **Update this README** to document your new variant + +### Structure Guidelines + +- **Naming**: Use descriptive, lowercase names (e.g., `auditor`, `minimal`) +- **Configuration**: Keep variants focused on specific use cases +- **Documentation**: Document what each variant is best for +- **Testing**: Ensure your variant passes CI/CD checks + ## How to audit your Dockerfile ```bash @@ -310,14 +400,12 @@ asdf plugin list all ``` Golang: `asdf plugin add golang` -Python: `asdf plugin add python` Node.js: `asdf plugin add nodejs` #### You can list and install specific versions ```bash asdf install golang 1.20.5 -asdf install python 3.11.5 asdf install nodejs 18.15.0 ``` @@ -325,16 +413,88 @@ asdf install nodejs 18.15.0 ```bash asdf global golang 1.20.5 -asdf global python 3.11.5 ``` #### Make a version be used locally ```bash asdf local golang 1.19.2 -asdf local python 3.10.4 ``` +### Introduction to `uv` + +`uv` is a fast Python package installer and resolver, written in Rust. It's designed to be a drop-in replacement for pip, pip-tools, and virtualenv, offering significantly faster performance and better dependency resolution. It's especially useful for Python projects requiring fast package management and reliable dependency resolution. + +#### Install Python versions + +Install and manage multiple Python versions: + +```bash +# Install a specific Python version +uv python install 3.11.5 +uv python install 3.12.0 + +# List installed Python versions +uv python list + +# Use a specific Python version +uv python use 3.11.5 +``` + +#### Create and manage virtual environments + +```bash +# Create a new virtual environment +uv venv + +# Create a virtual environment with a specific Python version +uv venv --python 3.11.5 + +# Activate the virtual environment +source .venv/bin/activate # On Unix/macOS +# or +.venv\Scripts\activate # On Windows +``` + +#### Install packages + +```bash +# Install a single package +uv add requests + +# Install packages with specific versions +uv add "fastapi>=0.100.0" "uvicorn[standard]" + +# Install development dependencies +uv add --dev pytest black flake8 + +# Install from requirements.txt +uv pip install -r requirements.txt + +# Install tools globally (similar to pipx) +uv tool install black +uv tool install flake8 +uv tool install mypy +``` + +#### Project management + +```bash +# Initialize a new Python project +uv init my-project +cd my-project + +# Add dependencies to pyproject.toml +uv add requests fastapi + +# Install all project dependencies +uv sync + +# Generate requirements.txt +uv export --format requirements-txt > requirements.txt +``` + + ### Install different node versions with nvm ```bash From bc39684723e5ca5de51741ba7828fd2f8adf58c0 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Tue, 26 Aug 2025 11:31:28 -0300 Subject: [PATCH 2/4] ci/cd: removed legacy from workflow --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 88d4919..22d8e99 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,7 +21,6 @@ jobs: subFolder: - .devcontainer/auditor - .devcontainer/minimal - - .devcontainer/legacy - .devcontainer/hardened - .devcontainer/isolated steps: From 9bad8a00476ab7bd297d3a818bc9c9cf078ec572 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Tue, 26 Aug 2025 11:48:41 -0300 Subject: [PATCH 3/4] (devcontainer): enabled default seccomp @ isolated and hardened --- .devcontainer/hardened/devcontainer.json | 2 -- .devcontainer/isolated/devcontainer.json | 2 -- 2 files changed, 4 deletions(-) diff --git a/.devcontainer/hardened/devcontainer.json b/.devcontainer/hardened/devcontainer.json index 67d1b07..90a68bc 100644 --- a/.devcontainer/hardened/devcontainer.json +++ b/.devcontainer/hardened/devcontainer.json @@ -75,8 +75,6 @@ "no-new-privileges:true", // Prevent privilege escalation "--security-opt", "apparmor=docker-default", // Use Docker's default AppArmor profile - "--security-opt", - "seccomp=unconfined", // Disable seccomp for compatibility // DNS configuration for security and reliability "--dns=1.1.1.1", // Use Cloudflare's secure DNS diff --git a/.devcontainer/isolated/devcontainer.json b/.devcontainer/isolated/devcontainer.json index 220be9d..47644c7 100644 --- a/.devcontainer/isolated/devcontainer.json +++ b/.devcontainer/isolated/devcontainer.json @@ -77,8 +77,6 @@ "no-new-privileges:true", // Prevent privilege escalation "--security-opt", "apparmor=docker-default", // Use Docker's default AppArmor profile - "--security-opt", - "seccomp=unconfined", // Disable seccomp for compatibility // Network isolation - completely disconnect from internet "--network=none", From acd69da68080e5be108cea97f9a5a7924d018459 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Tue, 26 Aug 2025 23:27:04 -0300 Subject: [PATCH 4/4] (devcontainer): better runArgs: fixed isolated git config issues and enhanced security on auditor and hardened --- .devcontainer/auditor/devcontainer.json | 78 +++++++++++----- .devcontainer/hardened/devcontainer.json | 110 +++++++++++++++-------- .devcontainer/isolated/devcontainer.json | 86 +++++++++--------- 3 files changed, 168 insertions(+), 106 deletions(-) diff --git a/.devcontainer/auditor/devcontainer.json b/.devcontainer/auditor/devcontainer.json index 8e74da2..8bc2fd1 100644 --- a/.devcontainer/auditor/devcontainer.json +++ b/.devcontainer/auditor/devcontainer.json @@ -26,33 +26,69 @@ "vscode": { // Specialized extensions for smart contract auditing and development "extensions": [ - "NomicFoundation.hardhat-solidity", // Hardhat Solidity support - "tintinweb.solidity-visual-auditor", // Visual auditor for Solidity contracts - "tintinweb.solidity-metrics", // Code metrics and analysis - "trailofbits.weaudit", // Trail of Bits audit tools - "eamodio.gitlens", // Enhanced Git integration - "streetsidesoftware.code-spell-checker", // Code spelling and grammar - "ms-vscode.vscode-json", // JSON language support - "tintinweb.chonky" // File explorer enhancements + // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information + "tintinweb.ethereum-security-bundle", // includes what is listed above ^ + "tintinweb.vscode-ethover", + "trailofbits.weaudit", + "tintinweb.vscode-inline-bookmarks", + "tintinweb.vscode-solidity-language", + "tintinweb.graphviz-interactive-preview", + "NomicFoundation.hardhat-solidity", + "Olympixai.olympix", + "trailofbits.contract-explorer", + "tintinweb.chonky" // Chonky Agent ], // VS Code settings optimized for auditing workflows "settings": { - "terminal.integrated.defaultProfile.linux": "bash", // Use bash for compatibility - "solidity-va.hover": true, // Enable Solidity hover information - "solidity-va.diagnostics": true // Enable Solidity diagnostics - } + // Security settings - killswitch for automated tasks + "task.autoDetect": "off", // Disable automatic task detection + "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers + + // Trust and security configuration + "security.workspace.trust.enabled": false, // Trust no one by default + + // Privacy settings - killswitch for telemetry + "telemetry.telemetryLevel": "off", // Disable all telemetry collection + + // Terminal configuration + "terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default + "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } + // Using bash might be more safe and stable, but zsh provides better features + }, } }, - // Use vscode user for security (non-root execution) - "remoteUser": "vscode", + // Mount isolation configuration for security and development workflow + // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. + // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. + // Disables mounting the host workspace into the container for isolation. + "workspaceMount": "type=tmpfs,destination=/workspace", + // Sets a workspace path entirely isolated within the container + "workspaceFolder": "/workspace", - // Mount configuration for workspace access - // Bind mount from host for persistent development - "mounts": [ - "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached" + // Docker run arguments for security hardening and resource management + "runArgs": [ + + // IPv6 security - disable IPv6 to reduce attack surface + "--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 globally + "--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default + + // Network capability restrictions + "--cap-drop=NET_RAW", // Disable raw packet access + "--network=bridge", // Use bridge networking + + // DNS configuration for security and reliability + "--dns=1.1.1.1", // Primary DNS (Cloudflare) + "--dns=1.0.0.1", // Secondary DNS (Cloudflare) + + // Resource limits for container performance and security + // Play a little bit with resources to prevent resource exhaustion + // "--memory=512m", // Memory limit (commented out) + // "--cpus=2" // CPU limit (commented out) ], - - // Workspace configuration - mounted from host - "workspaceFolder": "/workspace" + + // Writable mounts in case you want to set --read-only above. + // Currently no additional mounts are configured + "mounts": [ + ] } \ No newline at end of file diff --git a/.devcontainer/hardened/devcontainer.json b/.devcontainer/hardened/devcontainer.json index 90a68bc..dc217dd 100644 --- a/.devcontainer/hardened/devcontainer.json +++ b/.devcontainer/hardened/devcontainer.json @@ -42,17 +42,21 @@ ], // VS Code settings for security and functionality "settings": { - "terminal.integrated.defaultProfile.linux": "zsh", // Default terminal shell - "terminal.integrated.profiles.linux": { - "zsh": { - "path": "/bin/zsh" - } + // Security settings - killswitch for automated tasks + "task.autoDetect": "off", // Disable automatic task detection + "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers + + // Trust and security configuration + "security.workspace.trust.enabled": false, // Trust no one by default + + // Privacy settings - killswitch for telemetry + "telemetry.telemetryLevel": "off", // Disable all telemetry collection + + // Terminal configuration + "terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default + "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } + // Using bash might be more safe and stable, but zsh provides better features }, - "task.autoDetect": "off", // Disable automatic task detection for security - "task.allowAutomaticTasks": "off", // Prevent automatic task execution - "security.workspace.trust.enabled": false, // Disable workspace trust by default - "telemetry.telemetryLevel": "off" // Disable telemetry collection - } } }, @@ -60,34 +64,62 @@ "initializeCommand": "echo 'Initializing hardened dev container...'", "postStartCommand": "echo 'πŸš€ Dev container is ready for Web3 development!'", - // Workspace configuration - mounted from host with caching - "workspaceFolder": "/workspace", - // Mount workspace from host with consistency caching for performance - "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", - - // Docker run arguments for security hardening - "runArgs": [ - // Security hardening - drop all Linux capabilities - "--cap-drop=ALL", - - // Security options for container isolation - "--security-opt", - "no-new-privileges:true", // Prevent privilege escalation - "--security-opt", - "apparmor=docker-default", // Use Docker's default AppArmor profile - - // DNS configuration for security and reliability - "--dns=1.1.1.1", // Use Cloudflare's secure DNS - "--dns=1.0.0.1", // Secondary DNS for redundancy + + // Mount isolation configuration for security and development workflow + // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. + // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. + // Disables mounting the host workspace into the container for isolation. + "workspaceMount": "type=tmpfs,destination=/workspace", + // Sets a workspace path entirely isolated within the container + "workspaceFolder": "/workspace", - // Temporary filesystem mounts with security restrictions - "--tmpfs", - "/tmp:rw,noexec,nosuid,size=512m", // Temporary directory with size limit - "--tmpfs", - "/var/tmp:rw,noexec,nosuid,size=512m", // System temp directory with size limit - - // Resource limits for container performance and security - "--memory=1024m", // Limit memory to 1GB - "--cpus=2" // Limit to 2 CPU cores - ] + // Docker run arguments for security hardening and resource management + "runArgs": [ + + // Temporary filesystem mounts with security restrictions + // These provide isolated, size-limited temporary storage + "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory + "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory + "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory + + // Security hardening - drop all Linux capabilities + // This reduces the attack surface by removing unnecessary privileges + "--cap-drop=ALL", + + // Security options for container isolation + // A few security additions (AppArmor & no new privileges) + "--security-opt", "no-new-privileges", // Prevent privilege escalation + "--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile + + // Use seccomp's default security profile + // seccomp provides system call filtering for additional security + // "--security-opt", "seccomp=default", + + // Network security configuration + // If you really want to isolate it, just disconnect it from the internet. + // You should COPY your working files inside before, otherwise you'll have to mount them manually. + // "--network=none", + + // IPv6 security - disable IPv6 to reduce attack surface + "--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 globally + "--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default + + // Network capability restrictions + "--cap-drop=NET_RAW", // Disable raw packet access + "--network=bridge", // Use bridge networking + + // DNS configuration for security and reliability + "--dns=1.1.1.1", // Primary DNS (Cloudflare) + "--dns=1.0.0.1", // Secondary DNS (Cloudflare) + + // Resource limits for container performance and security + // Play a little bit with resources to prevent resource exhaustion + // "--memory=512m", // Memory limit (commented out) + // "--cpus=2" // CPU limit (commented out) + ], + + // Writable mounts in case you want to set --read-only above. + // Currently no additional mounts are configured + "mounts": [ + ] } \ No newline at end of file diff --git a/.devcontainer/isolated/devcontainer.json b/.devcontainer/isolated/devcontainer.json index 47644c7..ea65f75 100644 --- a/.devcontainer/isolated/devcontainer.json +++ b/.devcontainer/isolated/devcontainer.json @@ -29,6 +29,7 @@ "customizations": { "vscode": { // Web3 security and development extensions + // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information "extensions": [ "tintinweb.ethereum-security-bundle", // Comprehensive Ethereum security tools "tintinweb.vscode-ethover", // Ethereum hover information @@ -41,17 +42,21 @@ ], // VS Code settings for security and functionality "settings": { - "terminal.integrated.defaultProfile.linux": "zsh", // Default terminal shell - "terminal.integrated.profiles.linux": { - "zsh": { - "path": "/bin/zsh" - } - }, - "task.autoDetect": "off", // Disable automatic task detection for security - "task.allowAutomaticTasks": "off", // Prevent automatic task execution - "security.workspace.trust.enabled": false, // Disable workspace trust by default - "telemetry.telemetryLevel": "off" // Disable telemetry collection - } + // Security settings - killswitch for automated tasks + "task.autoDetect": "off", // Disable automatic task detection + "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers + + // Trust and security configuration + "security.workspace.trust.enabled": false, // Trust no one by default + + // Privacy settings - killswitch for telemetry + "telemetry.telemetryLevel": "off", // Disable all telemetry collection + + // Terminal configuration + "terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default + "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } + // Using bash might be more safe and stable, but zsh provides better features + } } }, @@ -61,55 +66,44 @@ // Workspace configuration - isolated within container "workspaceFolder": "/workspace", - // Mount workspace as tmpfs for complete isolation - no host file access + // Mount workspace as tmpfs for complete isolation - no host file access. + // This ensures that the workspace is ephemeral and does not persist data. "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777", // Docker run arguments for security and isolation "runArgs": [ - // Security hardening - drop all Linux capabilities + // Security hardening - drop all Linux capabilities to reduce attack surface "--cap-drop=ALL", - // Read-only filesystem for maximum security + // Read-only filesystem for maximum security, preventing any persistent changes "--read-only", // Security options for container isolation "--security-opt", - "no-new-privileges:true", // Prevent privilege escalation + "no-new-privileges:true", // Prevent privilege escalation from within the container "--security-opt", - "apparmor=docker-default", // Use Docker's default AppArmor profile + "apparmor=docker-default", // Apply Docker's default AppArmor profile for enhanced security - // Network isolation - completely disconnect from internet + // Network isolation - completely disconnect from the internet for a secure environment "--network=none", - // Essential writable tmpfs mounts for VS Code functionality - // These are required for VS Code Server to work properly - "--tmpfs", - "/home/vscode/.vscode-server:rw,noexec,nosuid,size=512m,uid=1000,gid=1000", - "--tmpfs", - "/home/vscode/.vscode-server-insiders:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", - "--tmpfs", - "/home/vscode/.cache:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", - "--tmpfs", - "/home/vscode/.config:rw,noexec,nosuid,size=128m,uid=1000,gid=1000", - "--tmpfs", - "/home/vscode/.local:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + // --- Writable, EXECUTABLE Mounts for VS Code Server --- + "--tmpfs", "/home/vscode/.vscode-server:rw,exec,nosuid,size=512m,uid=1000,gid=1000", + "--tmpfs", "/home/vscode/.vscode-server-insiders:rw,exec,nosuid,size=256m,uid=1000,gid=1000", + + // --- Writable, NON-EXECUTABLE Mounts for Caches, Configs, and Logs --- + "--tmpfs", "/home/vscode/.cache:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + "--tmpfs", "/home/vscode/.config:rw,noexec,nosuid,size=128m,uid=1000,gid=1000", + "--tmpfs", "/home/vscode/.local:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + "--tmpfs", "/home/vscode/.gnupg:rw,noexec,nosuid,size=32m,uid=1000,gid=1000", + "--tmpfs", "/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs", "/var/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs", "/var/log:rw,noexec,nosuid,size=128m", + "--tmpfs", "/run:rw,noexec,nosuid,size=128m", + "--tmpfs", "/home/vscode/.devcontainer:rw,noexec,nosuid,size=32m,uid=1000,gid=1000" - // System temporary directories with size limits - "--tmpfs", - "/tmp:rw,noexec,nosuid,size=512m", - "--tmpfs", - "/var/tmp:rw,noexec,nosuid,size=512m", - "--tmpfs", - "/var/log:rw,noexec,nosuid,size=128m", - "--tmpfs", - "/run:rw,noexec,nosuid,size=128m", - - // Git configuration storage - "--tmpfs", - "/home/vscode/.gitconfig:rw,noexec,nosuid,size=1m,uid=1000,gid=1000", - - // Resource limits for container performance - "--memory=1g", // Limit memory to 1GB - "--cpus=2" // Limit to 2 CPU cores + // Resource limits for container performance and stability + // "--memory=1g", // Limit container memory to 1GB to prevent resource exhaustion + // "--cpus=2" // Limit container to 2 CPU cores for predictable performance ] } \ No newline at end of file