From 8ecf40de3c14d259bb00a20d9ba55f469400d28b Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 10:49:49 +0100 Subject: [PATCH 1/9] fix: docker security warnings --- .github/workflows/docker.yaml | 2 ++ Dockerfile | 3 +++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index a4af190..f63b609 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -3,6 +3,7 @@ on: schedule: - cron: "0 1 * * *" # Every day at 1:00 AM workflow_dispatch: # Run the action manually + pull_request: # TODO: Remove this before merging permissions: contents: read issues: write @@ -37,6 +38,7 @@ jobs: tags: ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:latest, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}-${{ steps.set-properties.outputs.DATE }} file: Dockerfile push: true + provenance: true build-args: | VERSION=${{ steps.set-properties.outputs.VERSION }} - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main diff --git a/Dockerfile b/Dockerfile index 691a323..42e237f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,7 @@ FROM node:22-alpine +RUN groupadd -g 1000 mcp && \ + useradd -m -u 1000 -g mcp mcp +USER mcp ARG VERSION=latest RUN npm install -g mongodb-mcp-server@${VERSION} ENTRYPOINT ["mongodb-mcp-server"] From f214784ff9026bb4741aca125c0e2cfdb8fe2f4d Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 10:53:10 +0100 Subject: [PATCH 2/9] fix: user --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 42e237f..af4cc35 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,5 @@ FROM node:22-alpine -RUN groupadd -g 1000 mcp && \ - useradd -m -u 1000 -g mcp mcp +RUN addgroup -S mcp && adduser -S mcp -G mcp USER mcp ARG VERSION=latest RUN npm install -g mongodb-mcp-server@${VERSION} From 0371e80a5e024b4a3f62604e53ede2d6d7ab7910 Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 12:05:27 +0100 Subject: [PATCH 3/9] fix: user --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index af4cc35..801b2e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,9 @@ FROM node:22-alpine -RUN addgroup -S mcp && adduser -S mcp -G mcp +RUN addgroup -S mcp && adduser -S mcp -G mcp && chown -R mcp:mcp /usr/local/lib/node_modules +RUN npm install -g mongodb-mcp-server@${VERSION} USER mcp +WORKDIR /home/mcp ARG VERSION=latest -RUN npm install -g mongodb-mcp-server@${VERSION} ENTRYPOINT ["mongodb-mcp-server"] LABEL maintainer="MongoDB Inc " LABEL description="MongoDB MCP Server" From 63a234dc94451241a1e32bf40baf646635cf4a37 Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 12:08:13 +0100 Subject: [PATCH 4/9] fix: handle server termination --- src/index.ts | 16 ++++++++++++++++ src/logger.ts | 3 +++ 2 files changed, 19 insertions(+) diff --git a/src/index.ts b/src/index.ts index ee33207..8f5738c 100644 --- a/src/index.ts +++ b/src/index.ts @@ -31,6 +31,22 @@ try { const transport = createEJsonTransport(); + process.on("SIGINT", () => { + logger.info(LogId.serverCloseRequested, "server", `Server close requested`); + + server + .close() + .then(() => { + logger.info(LogId.serverClosed, "server", `Server closed successfully`); + process.exit(0); + }) + .catch((err: unknown) => { + const error = err instanceof Error ? err : new Error(String(err)); + logger.error(LogId.serverCloseFailure, "server", `Error closing server: ${error.message}`); + process.exit(1); + }); + }); + await server.connect(transport); } catch (error: unknown) { logger.emergency(LogId.serverStartFailure, "server", `Fatal error running server: ${error as string}`); diff --git a/src/logger.ts b/src/logger.ts index 1fa694b..73cf010 100644 --- a/src/logger.ts +++ b/src/logger.ts @@ -9,6 +9,9 @@ export type LogLevel = LoggingMessageNotification["params"]["level"]; export const LogId = { serverStartFailure: mongoLogId(1_000_001), serverInitialized: mongoLogId(1_000_002), + serverCloseRequested: mongoLogId(1_000_003), + serverClosed: mongoLogId(1_000_004), + serverCloseFailure: mongoLogId(1_000_005), atlasCheckCredentials: mongoLogId(1_001_001), atlasDeleteDatabaseUserFailure: mongoLogId(1_001_002), From 554cea2ae167bf237d5731cda3aac104087cde9d Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 12:08:29 +0100 Subject: [PATCH 5/9] fix: reduce permissions --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 801b2e1..5183bb8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM node:22-alpine -RUN addgroup -S mcp && adduser -S mcp -G mcp && chown -R mcp:mcp /usr/local/lib/node_modules +RUN addgroup -S mcp && adduser -S mcp -G mcp RUN npm install -g mongodb-mcp-server@${VERSION} USER mcp WORKDIR /home/mcp From 8ff2d9a4c20fad0f47bb67d9ef23553a5dfeee86 Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 12:11:49 +0100 Subject: [PATCH 6/9] fix: provenance --- .github/workflows/docker.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index f63b609..87a14c6 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -38,7 +38,7 @@ jobs: tags: ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:latest, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}-${{ steps.set-properties.outputs.DATE }} file: Dockerfile push: true - provenance: true + provenance: mode=max build-args: | VERSION=${{ steps.set-properties.outputs.VERSION }} - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main From c880f8700ea743ce05eca0cdf1693294c88bdf10 Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 12:15:41 +0100 Subject: [PATCH 7/9] fix: sbom --- .github/workflows/docker.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 87a14c6..c6adaf9 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -39,6 +39,7 @@ jobs: file: Dockerfile push: true provenance: mode=max + sbom: true build-args: | VERSION=${{ steps.set-properties.outputs.VERSION }} - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main From 9643e70ca17241876742bf29c22b2c79f1a0449a Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 12:19:10 +0100 Subject: [PATCH 8/9] fix: remove PR on docker trigger --- .github/workflows/docker.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index c6adaf9..3964e0c 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -3,7 +3,6 @@ on: schedule: - cron: "0 1 * * *" # Every day at 1:00 AM workflow_dispatch: # Run the action manually - pull_request: # TODO: Remove this before merging permissions: contents: read issues: write From 9d31bafbd9cfaf19791f93687349efec9d8da8d1 Mon Sep 17 00:00:00 2001 From: Filipe Constantinov Menezes Date: Fri, 16 May 2025 12:21:09 +0100 Subject: [PATCH 9/9] fix: move arg up --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5183bb8..05da379 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ FROM node:22-alpine +ARG VERSION=latest RUN addgroup -S mcp && adduser -S mcp -G mcp RUN npm install -g mongodb-mcp-server@${VERSION} USER mcp WORKDIR /home/mcp -ARG VERSION=latest ENTRYPOINT ["mongodb-mcp-server"] LABEL maintainer="MongoDB Inc " LABEL description="MongoDB MCP Server"