From 1e9419b01d29c3b9afc65f8033c19a34b62413f2 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Sun, 1 Feb 2026 12:16:57 -0800 Subject: [PATCH 1/6] fix vulnerabilities --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index adeadf4..1d02330 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:20-alpine +FROM node:20-alpine3.23 ARG CONNECTOR_VERSION RUN npm update -g npm From 1cc0905e92446e94043e81148569029a0b5e48a5 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Sun, 1 Feb 2026 13:01:31 -0800 Subject: [PATCH 2/6] change to ubuntu image for vuln fixes --- Dockerfile | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1d02330..4402101 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,20 @@ -FROM node:20-alpine3.23 +FROM ubuntu:noble-20260113 ARG CONNECTOR_VERSION -RUN npm update -g npm -RUN apk add bash jq curl +RUN apt-get update && apt-get install -y \ + curl \ + bash \ + jq \ + ca-certificates \ + gnupg \ + && mkdir -p /etc/apt/keyrings \ + && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \ + && apt-get update \ + && apt-get install -y nodejs \ + && npm update -g npm \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* COPY /docker /scripts COPY /connector-definition/scripts/upgrade-connector.sh /scripts/upgrade-connector.sh From 5438265d82ec576a8c196a3fb20f73ca0c37c8a9 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Sun, 1 Feb 2026 13:04:24 -0800 Subject: [PATCH 3/6] add scanning --- .../ndc-nodejs-lambda-connector.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 600ae9b..79e5a73 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -131,6 +131,31 @@ jobs: labels: ${{ steps.docker-metadata.outputs.labels }} push: true + security-scan: + name: Security vulnerability scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.32.0 + with: + scan-type: fs + format: json + output: trivy-results.json + severity: CRITICAL,HIGH + exit-code: 1 + + - name: Upload to Security Agent + if: always() + uses: hasura/security-agent-tools/upload-file@main + with: + file_path: trivy-results.json + security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} + tags: | + service=ndc-nodejs-lambda + scanner=trivy + release-connector: name: Release connector defaults: From 6e3f9ec675a7e95d7e726523e6b3ad8ba2a9d9c2 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Tue, 3 Feb 2026 23:21:13 -0800 Subject: [PATCH 4/6] add trivy scan with security agent upload and fail on critical/high vulns Co-Authored-By: Claude Opus 4.5 --- .../ndc-nodejs-lambda-connector.yaml | 54 ++++++++++++------- 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 79e5a73..6cd96fd 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -119,42 +119,60 @@ jobs: tags: ${{ steps.docker-metadata.outputs.tags }} labels: ${{ steps.docker-metadata.outputs.labels }} - - name: Push docker image + - name: Build docker image for scanning uses: docker/build-push-action@v6 - if: ${{ startsWith(github.ref, 'refs/tags/v') }} with: context: . build-args: | CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.docker-metadata.outputs.tags }} - labels: ${{ steps.docker-metadata.outputs.labels }} - push: true + load: true + tags: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan - security-scan: - name: Security vulnerability scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (json output) uses: aquasecurity/trivy-action@0.32.0 with: - scan-type: fs + image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan format: json output: trivy-results.json - severity: CRITICAL,HIGH - exit-code: 1 + scanners: vuln - - name: Upload to Security Agent + - name: Upload Trivy scan results to Security Agent if: always() - uses: hasura/security-agent-tools/upload-file@main + uses: hasura/security-agent-tools/upload-file@v1 with: file_path: trivy-results.json security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} tags: | service=ndc-nodejs-lambda + source_code_path=. + docker_file_path=Dockerfile scanner=trivy + image_name=${{ steps.docker-metadata.outputs.tags }} + product_domain=hasura-ddn-data-plane + team=engine + + - name: Fail build on High/Critical Vulnerabilities + uses: aquasecurity/trivy-action@0.32.0 + with: + skip-setup-trivy: true + image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan + format: table + severity: CRITICAL,HIGH + scanners: vuln + ignore-unfixed: true + exit-code: 1 + + - name: Push docker image + uses: docker/build-push-action@v6 + if: ${{ startsWith(github.ref, 'refs/tags/v') }} + with: + context: . + build-args: | + CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.docker-metadata.outputs.tags }} + labels: ${{ steps.docker-metadata.outputs.labels }} + push: true release-connector: name: Release connector From d1a57945ee39a495e71baa7d761574a7e1192239 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Tue, 3 Feb 2026 23:35:56 -0800 Subject: [PATCH 5/6] use non-root user in dockerfiles Co-Authored-By: Claude Opus 4.5 --- Dockerfile | 6 ++++++ connector-definition/Dockerfile | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4402101..b9c1eb0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,12 @@ RUN echo ${CONNECTOR_VERSION} > /scripts/CONNECTOR_VERSION COPY /functions /functions RUN /scripts/package-restore.sh +# Create non-root user +RUN useradd -m -s /bin/bash -u 1000 hasura \ + && chown -R hasura:hasura /scripts /functions + +USER hasura + EXPOSE 8080 HEALTHCHECK --interval=5s --timeout=10s --start-period=1s --retries=3 CMD [ "sh", "-c", "exec curl -f http://localhost:${HASURA_CONNECTOR_PORT:-8080}/health" ] diff --git a/connector-definition/Dockerfile b/connector-definition/Dockerfile index bb8fdec..4501b93 100644 --- a/connector-definition/Dockerfile +++ b/connector-definition/Dockerfile @@ -1,9 +1,9 @@ FROM ghcr.io/hasura/ndc-nodejs-lambda:v{{VERSION}} -COPY package-lock.json package.json /functions/ +COPY --chown=hasura:hasura package-lock.json package.json /functions/ WORKDIR /functions -RUN --mount=type=cache,target=/root/.npm \ +RUN --mount=type=cache,target=/home/hasura/.npm,uid=1000,gid=1000 \ npm ci -COPY ./ /functions +COPY --chown=hasura:hasura ./ /functions From da617c78574b7b059dc0ef6e7c0a56ba7d4061cb Mon Sep 17 00:00:00 2001 From: Gavin Ray Date: Wed, 4 Feb 2026 10:23:01 -0500 Subject: [PATCH 6/6] Allow useradd bin to choose a UID for non-root --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b9c1eb0..f4fe8fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,8 +24,8 @@ RUN echo ${CONNECTOR_VERSION} > /scripts/CONNECTOR_VERSION COPY /functions /functions RUN /scripts/package-restore.sh -# Create non-root user -RUN useradd -m -s /bin/bash -u 1000 hasura \ +# Create non-root user, let useradd pick a unique UID +RUN useradd -m -s /bin/bash hasura \ && chown -R hasura:hasura /scripts /functions USER hasura