fix the agent-os docker file

[ryanzhang-oss]

Description

This pull request updates the Dockerfile.sidecar for the agent governance sidecar, primarily focusing on updating the Python version and refining the build process for dependencies.

Dependency and build process updates:

• Updated the base image from python:3.14-slim to python:3.11-slim to ensure compatibility and stability with current dependencies. The 3.14 image base somehow does not work.
• Modified the COPY command to include README.md alongside pyproject.toml, ensuring documentation is available in the container.
• Changed the pip install command to install only specific dependency groups (cmvk, iatp, amb, observability) and explicitly added pyyaml, reducing the container footprint and potential attack surface.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Maintenance (dependency updates, CI/CD, refactoring)
• Security fix

Package(s) Affected

• agent-os-kernel
• agent-mesh
• agent-runtime
• agent-sre
• agent-governance
• docs / root

Checklist

• My code follows the project style guidelines (ruff check)
• I have added tests that prove my fix/feature works
• All new and existing tests pass (pytest)
• I have updated documentation as needed
• I have signed the Microsoft CLA

Attribution & Prior Art

• This contribution does not contain code copied or derived from other projects without attribution
• Any external projects that inspired this design are credited in code comments or documentation
• If this PR implements functionality similar to an existing open-source project, I have listed it below

Prior art / related projects (if any):

Related Issues

[github-actions]

🤖 AI Agent: code-reviewer

Review Feedback for PR: "fix the agent-os docker file"

🔴 CRITICAL

1. Python Version Downgrade:

   • The base image was changed from python:3.14-slim to python:3.11-slim. While Python 3.14 does not exist (likely a typo), this change should be verified against the project's compatibility matrix. Ensure that all dependencies and packages used in the project are compatible with Python 3.11. If any dependency requires Python 3.12 or higher, this could lead to runtime errors or security vulnerabilities due to outdated libraries.

2. Dependency Installation:

   • The pip install command now installs specific dependency groups (cmvk, iatp, amb, observability) instead of [full]. This change reduces the attack surface but risks omitting critical dependencies required for security or functionality. Ensure that the omitted dependencies do not introduce false negatives in the policy engine or compromise OWASP Agentic Top 10 compliance.

🟡 WARNING

1. Backward Compatibility:
   • The change in dependency installation (.[cmvk,iatp,amb,observability] instead of [full]) might break existing workflows or features that rely on the full set of dependencies. This could lead to unexpected behavior in downstream systems. Consider documenting this change clearly in release notes and verifying its impact on all packages in the monorepo.

💡 SUGGESTIONS

1. Documentation Availability:

   • Including README.md in the container is a good practice for documentation availability. However, ensure that sensitive information (e.g., credentials or internal configurations) is not inadvertently included in the README.md.

2. Non-Root User:

   • The Dockerfile creates a non-root user but does not switch to it (USER directive is missing). Running the container as a root user increases the risk of sandbox escape vectors. Add a USER directive to enforce the use of the non-root user.

3. Layer Optimization:

   • The pip install command and the rm -rf /root/.cache command are combined into a single RUN layer. While this is efficient, consider splitting them into separate layers for better debugging and caching during the build process.

4. Testing:

   • Ensure that the updated Dockerfile is tested against all supported Python versions (3.9–3.12) to confirm compatibility. Add integration tests to validate the functionality of the sidecar container.

5. Security Hardening:

   • Consider adding a HEALTHCHECK directive to monitor the health of the sidecar container. This can help detect and mitigate issues proactively.

Actionable Recommendations

1. Verify Python version compatibility across all dependencies and packages.
2. Audit the impact of reduced dependency installation (cmvk, iatp, amb, observability) on functionality and security.
3. Add a USER directive to enforce non-root execution.
4. Test the Dockerfile against all supported Python versions and document the results.
5. Add a HEALTHCHECK directive for improved container monitoring.

Summary

While the changes improve the container's footprint and documentation availability, they introduce potential risks related to dependency compatibility and backward compatibility. Address the critical issues and warnings before merging this pull request.

[github-actions]

🤖 AI Agent: contributor-guide — Welcome! 👋

Welcome! 👋

Hi there, and welcome to the Agent Governance Toolkit community! 🎉 Thank you so much for taking the time to contribute to this project. It's always exciting to see new contributors, and we appreciate your effort in improving the Dockerfile.sidecar. Let's dive into your pull request together!

---

What You Did Well ✅

1. Clear Description: Your PR description is detailed and well-structured. You clearly outlined the changes made, their purpose, and the reasoning behind them. This makes it easy for reviewers to understand your thought process. Great job! 👏

2. Focus on Security and Optimization: I love that you took the initiative to reduce the container's footprint and potential attack surface by limiting the installed dependency groups and explicitly adding pyyaml. This shows a strong focus on best practices. 🚀

3. Documentation Update: Including the README.md in the container is a thoughtful addition. It ensures that important documentation is readily available, which is a nice touch for usability. 📄

4. Checklist Completion: You've filled out the PR template thoroughly, which is super helpful for maintainers. Thank you for being so thorough! ✅

---

Suggestions for Improvement ✨

1. Linting with Ruff:

   • We use Ruff for linting, specifically with the E, F, and W rule categories. Before merging, could you run ruff check on your changes to ensure they align with the project's style guidelines? You can find more details in our CONTRIBUTING.md.

2. Testing:

   • While this PR focuses on the Dockerfile, it's always a good idea to add or update tests to verify that the changes work as expected. For example:
     • Do the changes to the pip install command still allow the sidecar to function correctly?
     • Are there any edge cases where the reduced dependency groups might cause issues?
   • Tests for this package should go under packages/agent-os/tests/. If you're unsure how to proceed, feel free to ask for guidance!

3. Commit Message:

   • We follow the Conventional Commits standard for commit messages. Your PR title is close, but it would be great if you could update it to something like:

     fix(dockerfile): update Python version and optimize dependency installation
     

   • This helps us maintain a clean and consistent commit history.

4. Security Considerations:

   • Since this PR modifies a Dockerfile, which is part of the build process, it falls under the category of security-sensitive code. While your changes look good at first glance, we'll need to ensure that the updated dependencies and Python version don't introduce any vulnerabilities. If you haven't already, you might want to double-check the security advisories for the new base image (python:3.11-slim) and the added dependencies.

---

Next Steps 🚀

1. Run Ruff: Please run ruff check locally and fix any linting issues.
2. Add Tests: If possible, add or update tests to validate the changes.
3. Update Commit Message: Adjust your commit message to follow the Conventional Commits format.
4. Wait for Feedback: Once you've addressed the above points, let us know by commenting here. A maintainer will review your updates and provide further feedback if needed.

---

Helpful Resources 📚

• CONTRIBUTING.md: Guidelines for contributing to this project.
• QUICKSTART.md: A quick guide to get started with the project.
• Ruff Documentation: Learn more about our linter.
• Conventional Commits: Understand our commit message conventions.

---

Thank you again for your contribution! We're here to help if you have any questions or need assistance with the next steps. Just let us know. 😊

Looking forward to your updates!

Warm regards,
contributor-guide 🚀

[github-actions]

🤖 AI Agent: security-scanner — Security Review of `Dockerfile.sidecar` Changes

Security Review of Dockerfile.sidecar Changes

1. Prompt Injection Defense Bypass

• Risk: No direct changes in this PR affect prompt injection defenses. However, the inclusion of pyyaml as a dependency introduces potential risks if YAML parsing is used for configuration or input handling without proper sanitization.
• Rating: 🔵 LOW
• Fix: Ensure that any YAML parsing in the codebase uses safe_load instead of load to prevent arbitrary code execution during deserialization.

2. Policy Engine Circumvention

• Risk: No changes in this PR directly affect the policy engine or its enforcement mechanisms.
• Rating: 🔵 LOW
• Fix: None required.

3. Trust Chain Weaknesses

• Risk: The downgrade from python:3.14-slim to python:3.11-slim could introduce vulnerabilities if the older Python version lacks critical security patches. While Python 3.11 is still supported, it is important to verify that all security patches are applied.
• Rating: 🟠 HIGH
• Fix: Confirm that the python:3.11-slim image is up-to-date with the latest security patches. Consider using a specific digest for the Docker base image (e.g., python:3.11-slim@sha256:<digest>) to prevent supply chain attacks or unintended updates.

4. Credential Exposure

• Risk: The pip install command does not expose credentials directly. However, if any sensitive environment variables are present during the build process, they could inadvertently be cached in Docker layers.
• Rating: 🔵 LOW
• Fix: Ensure that no sensitive environment variables are set during the build process. Use --build-arg for any required build-time variables and avoid storing secrets in the Dockerfile.

5. Sandbox Escape

• Risk: No changes in this PR directly affect container isolation or sandboxing mechanisms.
• Rating: 🔵 LOW
• Fix: None required.

6. Deserialization Attacks

• Risk: The explicit addition of pyyaml as a dependency introduces a potential attack vector if YAML files are deserialized unsafely using yaml.load instead of yaml.safe_load.
• Rating: 🟠 HIGH
• Fix: Audit the codebase to ensure that pyyaml is used securely. Replace any instances of yaml.load with yaml.safe_load to mitigate deserialization risks.

7. Race Conditions

• Risk: No changes in this PR introduce race conditions in policy checks or trust evaluations.
• Rating: 🔵 LOW
• Fix: None required.

8. Supply Chain

• Risk: The use of pip install with editable mode (-e) and dependency groups (.[cmvk,iatp,amb,observability]) introduces a potential supply chain risk if dependencies are not pinned to specific versions. This could allow malicious or compromised packages to be installed.
• Rating: 🔴 CRITICAL
• Fix: Pin all dependencies to specific versions in pyproject.toml or a requirements.txt file. Additionally, consider using a tool like pip-tools to lock dependencies and their transitive dependencies. Validate the integrity of dependencies using hashes (e.g., pip install --require-hashes).

---

Summary of Findings

1. Trust Chain Weaknesses: 🟠 HIGH — Downgrade to python:3.11-slim needs verification for security patches.
2. Deserialization Attacks: 🟠 HIGH — Addition of pyyaml requires auditing for safe usage.
3. Supply Chain Risks: 🔴 CRITICAL — Dependencies should be pinned to specific versions to prevent supply chain attacks.

---

Suggested Actions

1. Verify the security patch status of the python:3.11-slim base image and consider pinning to a specific digest.
2. Audit the codebase for any unsafe usage of pyyaml and enforce the use of yaml.safe_load.
3. Pin all dependencies to specific versions in pyproject.toml or a requirements.txt file. Use dependency locking and hash validation to mitigate supply chain risks.

These changes are critical to ensuring the security of the agent governance toolkit and its downstream users.

[imran-siddique]

Thanks @ryanzhang-oss! We actually fixed this Dockerfile in #1243 (merged April 20) — the COPY paths and pip install were corrected. Your PR conflicts with that fix. If you see remaining issues with the sidecar Dockerfile, please open a new PR against the current main. Appreciate the effort!