fix vulnerabilities (#62)

* fix vulnerabilities

* change to ubuntu image for vuln fixes

* add scanning

* add trivy scan with security agent upload and fail on critical/high vulns

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* use non-root user in dockerfiles

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Allow useradd bin to choose a UID for non-root

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Gavin Ray <ray.gavin97@gmail.com>

Author: 3 people

.github/workflows/ndc-nodejs-lambda-connector.yaml

@@ -119,6 +119,49 @@ jobs:
           tags: ${{ steps.docker-metadata.outputs.tags }}
           labels: ${{ steps.docker-metadata.outputs.labels }}
 
+      - name: Build docker image for scanning
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          build-args: |
+            CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }}
+          load: true
+          tags: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan
+
+      - name: Run Trivy vulnerability scanner (json output)
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan
+          format: json
+          output: trivy-results.json
+          scanners: vuln
+
+      - name: Upload Trivy scan results to Security Agent
+        if: always()
+        uses: hasura/security-agent-tools/upload-file@v1
+        with:
+          file_path: trivy-results.json
+          security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }}
+          tags: |
+            service=ndc-nodejs-lambda
+            source_code_path=.
+            docker_file_path=Dockerfile
+            scanner=trivy
+            image_name=${{ steps.docker-metadata.outputs.tags }}
+            product_domain=hasura-ddn-data-plane
+            team=engine
+
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          skip-setup-trivy: true
+          image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan
+          format: table
+          severity: CRITICAL,HIGH
+          scanners: vuln
+          ignore-unfixed: true
+          exit-code: 1
+
       - name: Push docker image
         uses: docker/build-push-action@v6
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}

Dockerfile

@@ -1,8 +1,20 @@
-FROM node:20-alpine
+FROM ubuntu:noble-20260113
 ARG CONNECTOR_VERSION
 
-RUN npm update -g npm
-RUN apk add bash jq curl
+RUN apt-get update && apt-get install -y \
+    curl \
+    bash \
+    jq \
+    ca-certificates \
+    gnupg \
+    && mkdir -p /etc/apt/keyrings \
+    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
+    && apt-get update \
+    && apt-get install -y nodejs \
+    && npm update -g npm \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY /docker /scripts
 COPY /connector-definition/scripts/upgrade-connector.sh /scripts/upgrade-connector.sh
@@ -12,6 +24,12 @@ RUN echo ${CONNECTOR_VERSION} > /scripts/CONNECTOR_VERSION
 COPY /functions /functions
 RUN /scripts/package-restore.sh
 
+# Create non-root user, let useradd pick a unique UID
+RUN useradd -m -s /bin/bash hasura \
+    && chown -R hasura:hasura /scripts /functions
+
+USER hasura
+
 EXPOSE 8080
 
 HEALTHCHECK --interval=5s --timeout=10s --start-period=1s --retries=3 CMD [ "sh", "-c", "exec curl -f http://localhost:${HASURA_CONNECTOR_PORT:-8080}/health" ]

connector-definition/Dockerfile

@@ -1,9 +1,9 @@
 FROM ghcr.io/hasura/ndc-nodejs-lambda:v{{VERSION}}
 
-COPY package-lock.json package.json /functions/
+COPY --chown=hasura:hasura package-lock.json package.json /functions/
 
 WORKDIR /functions
-RUN --mount=type=cache,target=/root/.npm \
+RUN --mount=type=cache,target=/home/hasura/.npm,uid=1000,gid=1000 \
     npm ci
 
-COPY ./ /functions
+COPY --chown=hasura:hasura ./ /functions