-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
78 lines (65 loc) · 2.09 KB
/
Dockerfile
File metadata and controls
78 lines (65 loc) · 2.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# =============================================================================
# Dockerfile - Shai-Hulud Detection Scanner
# =============================================================================
#
# Isolated scanning environment for detecting npm supply chain attacks.
# Use this container to safely scan potentially compromised projects.
#
# Build:
# docker build -t hulud-scanner .
#
# Usage:
# # Scan current directory
# docker run --rm -v $(pwd):/target hulud-scanner
#
# # Scan with JSON output
# docker run --rm -v $(pwd):/target hulud-scanner --format json
#
# # Scan specific path
# docker run --rm -v /path/to/project:/target hulud-scanner
#
# # Save results to file
# docker run --rm -v $(pwd):/target -v $(pwd)/results:/results \
# hulud-scanner --output /results/scan.txt
#
# =============================================================================
FROM node:20-alpine
LABEL maintainer="miccy <https://github.com/miccy>"
LABEL description="Shai-Hulud 2.0 Detection Scanner - Isolated scanning environment"
LABEL version="1.5.1"
# Install required tools
RUN apk add --no-cache \
bash \
coreutils \
findutils \
grep \
jq \
curl \
git
# Create scanner user (non-root)
RUN addgroup -g 1000 scanner && \
adduser -u 1000 -G scanner -s /bin/bash -D scanner
# Create directories
RUN mkdir -p /scanner /target /results && \
chown -R scanner:scanner /scanner /target /results
# Copy scanner scripts
COPY --chown=scanner:scanner scripts/ /scanner/scripts/
COPY --chown=scanner:scanner ioc/ /scanner/ioc/
COPY --chown=scanner:scanner bin/ /scanner/bin/
# Make scripts executable
RUN chmod +x /scanner/scripts/*.sh
# Set working directory
WORKDIR /target
# Switch to non-root user
USER scanner
# Environment variables
ENV PATH="/scanner/scripts:/scanner/bin:$PATH"
ENV SCAN_PATH="/target"
ENV IOC_PATH="/scanner/ioc"
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD detect.sh --version || exit 1
# Default entrypoint
ENTRYPOINT ["/scanner/scripts/detect.sh"]
# Default command (scan /target)
CMD ["/target"]