IBM
diff --git a/‎.github/workflows/docker-scan.yml‎
Lines changed: 53 additions & 0 deletions b/‎.github/workflows/docker-scan.yml‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎.secrets.baseline‎
Lines changed: 17 additions & 17 deletions b/‎.secrets.baseline‎
Lines changed: 17 additions & 17 deletions
diff --git a/‎Containerfile‎
Lines changed: 1 addition & 1 deletion b/‎Containerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎a2a-agents/go/a2a-echo-agent/Dockerfile‎
Lines changed: 6 additions & 3 deletions b/‎a2a-agents/go/a2a-echo-agent/Dockerfile‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎docker-compose-embedded.yml‎
Lines changed: 1 addition & 1 deletion b/‎docker-compose-embedded.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docker-compose-verbose-logging.yml‎
Lines changed: 4 additions & 1 deletion b/‎docker-compose-verbose-logging.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docker-compose.yml‎
Lines changed: 4 additions & 1 deletion b/‎docker-compose.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/docs/deployment/proxy-auth.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/docs/deployment/proxy-auth.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/docs/tutorials/dcr-hyprmcp.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/docs/tutorials/dcr-hyprmcp.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/docs/tutorials/openwebui-tutorial.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/docs/tutorials/openwebui-tutorial.md‎
Lines changed: 3 additions & 3 deletions
@@ -18,10 +18,16 @@ on:
   push:
     branches: ["main"]
     paths:
+      - 'Containerfile'
       - 'Containerfile.lite'
       - 'crates/**'
       - 'Cargo.toml'
       - 'Cargo.lock'
+      - 'a2a-agents/go/a2a-echo-agent/**'
+      - 'mcp-servers/python/python_sandbox_server/docker/**'
+      - 'docker-compose.yml'
+      - 'docker-compose-embedded.yml'
+      - 'docker-compose-verbose-logging.yml'
       - 'mcpgateway/**'
       - 'plugins/**'
       - 'pyproject.toml'
@@ -30,10 +36,16 @@ on:
     types: [opened, synchronize, ready_for_review]
     branches: ["main"]
     paths:
+      - 'Containerfile'
       - 'Containerfile.lite'
       - 'crates/**'
       - 'Cargo.toml'
       - 'Cargo.lock'
+      - 'a2a-agents/go/a2a-echo-agent/**'
+      - 'mcp-servers/python/python_sandbox_server/docker/**'
+      - 'docker-compose.yml'
+      - 'docker-compose-embedded.yml'
+      - 'docker-compose-verbose-logging.yml'
       - 'mcpgateway/**'
       - 'plugins/**'
       - 'pyproject.toml'
@@ -51,6 +63,47 @@ env:
   IMAGE_NAME: mcp-context-forge-scan
 
 jobs:
+  container-smoke:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    name: Container Smoke (${{ matrix.name }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: main
+            context: .
+            file: Containerfile
+            tag: mcp-context-forge-main-smoke:scan
+          - name: a2a-echo-agent
+            context: a2a-agents/go/a2a-echo-agent
+            file: a2a-agents/go/a2a-echo-agent/Dockerfile
+            tag: mcp-context-forge-a2a-echo-agent:scan
+          - name: python-sandbox
+            context: mcp-servers/python/python_sandbox_server
+            file: mcp-servers/python/python_sandbox_server/docker/Dockerfile.sandbox
+            tag: mcp-context-forge-python-sandbox:scan
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Build container locally
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          context: ${{ matrix.context }}
+          file: ${{ matrix.file }}
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: ${{ matrix.tag }}
+
   # ---------------------------------------------------------------
   # Build image and generate SBOM
   # ---------------------------------------------------------------
 
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|go.sum|mcpgateway/sri_hashes.json|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-15T09:12:27Z",
+  "generated_at": "2026-04-15T13:04:45Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -691,58 +691,58 @@
       {
         "hashed_secret": "9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684",
         "is_secret": false,
-        "is_verified": true,
+        "is_verified": false,
         "line_number": 10521,
         "type": "Basic Auth Credentials",
-        "verified_result": false
+        "verified_result": null
       }
     ],
     "crates/mcp_runtime/src/observability.rs": [
       {
         "hashed_secret": "b7dd0ec3dc49487982011219e66db3716b6669c6",
         "is_secret": false,
-        "is_verified": true,
+        "is_verified": false,
         "line_number": 598,
         "type": "Secret Keyword",
-        "verified_result": false
+        "verified_result": null
       }
     ],
     "crates/mcp_runtime/tests/runtime.rs": [
       {
         "hashed_secret": "5b204323030835cdda5d258742d1452e812988de",
         "is_secret": false,
-        "is_verified": true,
+        "is_verified": false,
         "line_number": 1643,
         "type": "Secret Keyword",
-        "verified_result": false
+        "verified_result": null
       },
       {
         "hashed_secret": "d6c1622f5e897dac7dcc4fab2cded03cb8240caa",
         "is_secret": false,
-        "is_verified": true,
+        "is_verified": false,
         "line_number": 5296,
         "type": "Secret Keyword",
-        "verified_result": false
+        "verified_result": null
       }
     ],
     "crates/wrapper/scripts/test-fast-time-wrapper.sh": [
       {
         "hashed_secret": "5546721ffdfc2e5b0e4c0da38f10774f9ad50b09",
         "is_secret": false,
-        "is_verified": true,
+        "is_verified": false,
         "line_number": 12,
         "type": "Secret Keyword",
-        "verified_result": false
+        "verified_result": null
       }
     ],
     "crates/wrapper/src/config.rs": [
       {
         "hashed_secret": "c8190eb36807e51dd78086805a24539885edda6b",
         "is_secret": false,
-        "is_verified": true,
+        "is_verified": false,
         "line_number": 9,
         "type": "Secret Keyword",
-        "verified_result": false
+        "verified_result": null
       }
     ],
     "docker-compose-debug.yml": [
@@ -1138,31 +1138,31 @@
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2632,
+        "line_number": 2635,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "12be9f7db42eb4a2d881a99fa9ba847e1f83677f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2653,
+        "line_number": 2656,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "c3de40d5e3fc71ed62771c2127a8e42585026c97",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2661,
+        "line_number": 2664,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ce53277317aa3cd27c1619d7d371306ded2ddd1e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2666,
+        "line_number": 2669,
         "type": "Secret Keyword",
         "verified_result": null
       }
 
@@ -1,7 +1,7 @@
 ###########################
 # Frontend builder stage
 ###########################
-FROM node:lts-alpine AS frontend-builder
+FROM node:lts-bookworm-slim AS frontend-builder
 WORKDIR /app
 
 # Copy package.json and package-lock.json
 
@@ -9,9 +9,12 @@ RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags "-s -w" -o /usr/local/bin/a2a-echo-agent .
 
-# Use alpine so basic tooling (busybox/wget) exists for container healthchecks.
-FROM alpine:3.20
-RUN adduser -D -u 1001 app
+# Use Debian slim so basic tooling exists without Alpine.
+FROM debian:bookworm-slim
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends ca-certificates tzdata && \
+    rm -rf /var/lib/apt/lists/* && \
+    useradd --uid 1001 --create-home --shell /usr/sbin/nologin app
 COPY --from=builder /usr/local/bin/a2a-echo-agent /usr/local/bin/a2a-echo-agent
 USER 1001:1001
 EXPOSE 9100
 
@@ -132,7 +132,7 @@ services:
   # Access: http://localhost:8889
   # ──────────────────────────────────────────────────────────────────────
   iframe_harness:
-    image: nginx:alpine
+    image: nginx:stable-bookworm
     restart: unless-stopped
     networks: [mcpnet]
     ports:
 
@@ -1630,12 +1630,15 @@ services:
   # Certificate Initialization - Auto-generates self-signed certs if missing
   # ──────────────────────────────────────────────────────────────────────
   cert_init:
-    image: alpine/openssl:latest
+    image: debian:bookworm-slim
     volumes:
       - ./certs:/certs
     entrypoint: ["/bin/sh", "-c"]
     command:
       - |
+        apt-get update
+        apt-get install -y --no-install-recommends openssl
+        rm -rf /var/lib/apt/lists/*
         if [ -f /certs/cert.pem ] && [ -f /certs/key.pem ]; then
           echo "✅ Certificates found in ./certs - using existing"
           exit 0
 
@@ -2483,14 +2483,17 @@ services:
   # Supports passphrase-protected keys via KEY_FILE_PASSWORD
   # ──────────────────────────────────────────────────────────────────────
   cert_init:
-    image: alpine/openssl:latest
+    image: debian:bookworm-slim
     volumes:
       - ./certs:/certs
     environment:
       - KEY_FILE_PASSWORD=${KEY_FILE_PASSWORD:-}
     entrypoint: ["/bin/sh", "-c"]
     command:
       - |
+        apt-get update
+        apt-get install -y --no-install-recommends openssl
+        rm -rf /var/lib/apt/lists/*
         # Check if we have an encrypted key that needs decryption
         if [ -f /certs/key-encrypted.pem ] && [ -n "${KEY_FILE_PASSWORD}" ]; then
           # Validate: encrypted key requires matching certificate
 
@@ -53,7 +53,7 @@ Find the completed guide on how to use the [HyprContextForge](https://github.com
 # docker-compose.yaml
 services:
     hyprmcp-dex:
-        image: ghcr.io/dexidp/dex:v2.43.1-alpine
+        image: ghcr.io/dexidp/dex:v2.43.1
         command: ["dex", "serve", "/config.yaml"]
         ports:
 
 
@@ -90,7 +90,7 @@ Create a `docker-compose.yaml` file with the following content:
 ```yaml
 services:
     hyprmcp-dex:
-        image: ghcr.io/dexidp/dex:v2.43.1-alpine
+        image: ghcr.io/dexidp/dex:v2.43.1
         command: ["dex", "serve", "/config.yaml"]
         ports:
 
@@ -305,7 +305,7 @@ Choose a tool from the list and run it via the right side panel.
 ```yaml
 services:
     hyprmcp-dex:
-        image: ghcr.io/dexidp/dex:v2.43.1-alpine
+        image: ghcr.io/dexidp/dex:v2.43.1
         command: ["dex", "serve", "/config.yaml"]
         ports:
 
 
@@ -92,7 +92,7 @@ docker run -d \
   -e POSTGRES_PASSWORD=changeme \
   -v postgres_data:/var/lib/postgresql/data \
   -p 5432:5432 \
-  postgres:15-alpine
+  postgres:15-bookworm
 
 # Verify PostgreSQL is running
 docker logs postgres
@@ -472,7 +472,7 @@ docker exec postgres pg_dump -U openwebui openwebui > backup.sql
 
 # Backup volumes
 docker run --rm -v postgres_data:/data -v $(pwd):/backup \
-  alpine tar czf /backup/postgres_backup.tar.gz -C /data .
+  debian:bookworm-slim tar czf /backup/postgres_backup.tar.gz -C /data .
 
 # Restore PostgreSQL
 docker exec -i postgres psql -U openwebui openwebui < backup.sql
@@ -552,7 +552,7 @@ version: '3.8'
 
 services:
   postgres:
-    image: postgres:15-alpine
+    image: postgres:15-bookworm
     environment:
       POSTGRES_DB: openwebui
       POSTGRES_USER: openwebui