unraid-mcp/scripts/check-docker-security.sh

#!/usr/bin/env bash
# check-docker-security.sh — Verify Dockerfile follows plugin security conventions
# Run standalone: bash scripts/check-docker-security.sh [path/to/Dockerfile]
# Run in pre-commit: add as a hook (see .pre-commit-config.yaml example in plugin-setup-guide)
#
# Checks:
#   1. Multi-stage build (separate builder + runtime stages)
#   2. Non-root user (USER 1000:1000 or ${PUID}:${PGID})
#   3. No sensitive ENV directives baked into the image
#   4. HEALTHCHECK present
set -euo pipefail

PASS=0
FAIL=0
WARN=0

pass() { echo "  ✓ PASS: $1"; PASS=$((PASS + 1)); }
fail() { echo "  ✗ FAIL: $1 — $2"; FAIL=$((FAIL + 1)); }
warn() { echo "  ⚠ WARN: $1 — $2"; WARN=$((WARN + 1)); }

# Find Dockerfile
DOCKERFILE="${1:-Dockerfile}"
if [[ ! -f "$DOCKERFILE" ]]; then
  echo "Error: $DOCKERFILE not found" >&2
  exit 1
fi

echo "=== Docker Security Check: $DOCKERFILE ==="

# ── 1. Multi-stage build ─────────────────────────────────────────────────────
FROM_COUNT=$(grep -cE '^FROM\s' "$DOCKERFILE" || true)
if [[ "$FROM_COUNT" -ge 2 ]]; then
  pass "Multi-stage build ($FROM_COUNT stages)"
else
  fail "Multi-stage build" "Found $FROM_COUNT FROM directive(s) — need at least 2 (builder + runtime)"
fi

# Check for named stages
if grep -qE '^FROM\s.+\sAS\s+builder' "$DOCKERFILE"; then
  pass "Named builder stage"
else
  warn "Named builder stage" "No 'FROM ... AS builder' found — recommend naming stages"
fi

if grep -qE '^FROM\s.+\sAS\s+runtime' "$DOCKERFILE"; then
  pass "Named runtime stage"
else
  warn "Named runtime stage" "No 'FROM ... AS runtime' found — recommend naming stages"
fi

# ── 2. Non-root user ─────────────────────────────────────────────────────────
# Check for USER directive
if grep -qE '^USER\s' "$DOCKERFILE"; then
  USER_LINE=$(grep -E '^USER\s' "$DOCKERFILE" | tail -1)
  USER_VALUE=$(echo "$USER_LINE" | sed 's/^USER\s*//')

  # Check for 1000:1000 or variable-based UID:GID
  if echo "$USER_VALUE" | grep -qE '^\$?\{?PUID|1000:1000|1000$'; then
    pass "Non-root user ($USER_VALUE)"
  else
    warn "Non-root user" "USER is '$USER_VALUE' — expected 1000:1000 or \${PUID}:\${PGID}"
  fi
else
  # Check if docker-compose.yaml handles it via user: directive
  if [[ -f "docker-compose.yaml" ]] && grep -qE '^\s+user:' docker-compose.yaml; then
    warn "Non-root user" "No USER in Dockerfile but docker-compose.yaml sets user: — acceptable if always run via compose"
  else
    fail "Non-root user" "No USER directive found — container runs as root"
  fi
fi

# Check there's no USER root after the runtime stage
RUNTIME_START=$(grep -nE '^FROM\s.+\sAS\s+runtime' "$DOCKERFILE" | head -1 | cut -d: -f1 || true)
if [[ -n "$RUNTIME_START" ]]; then
  if tail -n +"$RUNTIME_START" "$DOCKERFILE" | grep -qE '^USER\s+root'; then
    fail "No root in runtime" "USER root found after runtime stage — never run as root in production"
  else
    pass "No root in runtime stage"
  fi
fi

# ── 3. No sensitive ENV baked in ──────────────────────────────────────────────
SENSITIVE_PATTERNS='(API_KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|PRIVATE_KEY|AUTH)'
BAKED_ENVS=$(grep -nE "^ENV\s+.*${SENSITIVE_PATTERNS}" "$DOCKERFILE" || true)
if [[ -n "$BAKED_ENVS" ]]; then
  fail "No baked secrets" "Sensitive ENV directives found in Dockerfile:"
  echo "$BAKED_ENVS" | while IFS= read -r line; do
    echo "    $line"
  done
else
  pass "No baked secrets in ENV directives"
fi

# Check for ARG with defaults that look like secrets
BAKED_ARGS=$(grep -nE "^ARG\s+.*${SENSITIVE_PATTERNS}.*=" "$DOCKERFILE" || true)
if [[ -n "$BAKED_ARGS" ]]; then
  warn "No baked ARG secrets" "ARG with sensitive defaults found (may leak via docker history):"
  echo "$BAKED_ARGS" | while IFS= read -r line; do
    echo "    $line"
  done
else
  pass "No baked secrets in ARG defaults"
fi

# ── 4. HEALTHCHECK ────────────────────────────────────────────────────────────
if grep -qE '^HEALTHCHECK\s' "$DOCKERFILE"; then
  pass "HEALTHCHECK directive present"
  if grep -qE '/health' "$DOCKERFILE"; then
    pass "HEALTHCHECK uses /health endpoint"
  else
    warn "HEALTHCHECK endpoint" "HEALTHCHECK doesn't reference /health — ensure it matches your health endpoint"
  fi
else
  warn "HEALTHCHECK" "No HEALTHCHECK in Dockerfile — relying on docker-compose healthcheck only"
fi

# ── 5. Dependency layer caching ───────────────────────────────────────────────
# Check that manifest files are copied before source (for layer caching)
COPY_LINES=$(grep -nE '^COPY\s' "$DOCKERFILE" || true)
FIRST_MANIFEST_COPY=""
FIRST_SOURCE_COPY=""

while IFS= read -r line; do
  linenum=$(echo "$line" | cut -d: -f1)
  content=$(echo "$line" | cut -d: -f2-)
  if echo "$content" | grep -qE '(pyproject\.toml|package.*\.json|Cargo\.(toml|lock)|go\.(mod|sum)|uv\.lock)'; then
    [[ -z "$FIRST_MANIFEST_COPY" ]] && FIRST_MANIFEST_COPY="$linenum"
  elif echo "$content" | grep -qE '\.\s+\.|src/|lib/'; then
    [[ -z "$FIRST_SOURCE_COPY" ]] && FIRST_SOURCE_COPY="$linenum"
  fi
done <<< "$COPY_LINES"

if [[ -n "$FIRST_MANIFEST_COPY" && -n "$FIRST_SOURCE_COPY" ]]; then
  if [[ "$FIRST_MANIFEST_COPY" -lt "$FIRST_SOURCE_COPY" ]]; then
    pass "Dependency manifest copied before source (layer caching)"
  else
    warn "Layer caching" "Source copied before dependency manifest — swap order for better Docker layer caching"
  fi
fi

# ── Summary ───────────────────────────────────────────────────────────────────
echo
echo "Results: $PASS passed, $FAIL failed, $WARN warnings"
[[ "$FAIL" -eq 0 ]] && echo "DOCKER SECURITY CHECK PASSED" && exit 0
echo "DOCKER SECURITY CHECK FAILED" && exit 1
chore(quality-gates): add Justfile, .pre-commit-config.yaml, and check scripts - Justfile: standard recipes (dev, test, lint, fmt, typecheck, validate-skills, build, up, down, restart, logs, health, test-live, setup, gen-token, check-contract, clean) using uv/ruff for Python - .pre-commit-config.yaml: four hooks (skills-validate, docker-security, no-baked-env, ensure-ignore-files) - scripts/: copy check-docker-security.sh, check-no-baked-env.sh, check-outdated-deps.sh, ensure-ignore-files.sh, lint-plugin.sh from claude-homelab canonical source; all chmod +x Closes claude-homelab-5sy 2026-03-31 21:25:56 +00:00			`#!/usr/bin/env bash`
			`# check-docker-security.sh — Verify Dockerfile follows plugin security conventions`
			`# Run standalone: bash scripts/check-docker-security.sh [path/to/Dockerfile]`
			`# Run in pre-commit: add as a hook (see .pre-commit-config.yaml example in plugin-setup-guide)`
			`#`
			`# Checks:`
			`# 1. Multi-stage build (separate builder + runtime stages)`
			`# 2. Non-root user (USER 1000:1000 or ${PUID}:${PGID})`
			`# 3. No sensitive ENV directives baked into the image`
			`# 4. HEALTHCHECK present`
			`set -euo pipefail`

			`PASS=0`
			`FAIL=0`
			`WARN=0`

			`pass() { echo " ✓ PASS: $1"; PASS=$((PASS + 1)); }`
			`fail() { echo " ✗ FAIL: $1 — $2"; FAIL=$((FAIL + 1)); }`
			`warn() { echo " ⚠ WARN: $1 — $2"; WARN=$((WARN + 1)); }`

			`# Find Dockerfile`
			`DOCKERFILE="${1:-Dockerfile}"`
			`if [[ ! -f "$DOCKERFILE" ]]; then`
			`echo "Error: $DOCKERFILE not found" >&2`
			`exit 1`
			`fi`

			`echo "=== Docker Security Check: $DOCKERFILE ==="`

			`# ── 1. Multi-stage build ─────────────────────────────────────────────────────`
			`FROM_COUNT=$(grep -cE '^FROM\s' "$DOCKERFILE" \|\| true)`
			`if [[ "$FROM_COUNT" -ge 2 ]]; then`
			`pass "Multi-stage build ($FROM_COUNT stages)"`
			`else`
			`fail "Multi-stage build" "Found $FROM_COUNT FROM directive(s) — need at least 2 (builder + runtime)"`
			`fi`

			`# Check for named stages`
			`if grep -qE '^FROM\s.+\sAS\s+builder' "$DOCKERFILE"; then`
			`pass "Named builder stage"`
			`else`
			`warn "Named builder stage" "No 'FROM ... AS builder' found — recommend naming stages"`
			`fi`

			`if grep -qE '^FROM\s.+\sAS\s+runtime' "$DOCKERFILE"; then`
			`pass "Named runtime stage"`
			`else`
			`warn "Named runtime stage" "No 'FROM ... AS runtime' found — recommend naming stages"`
			`fi`

			`# ── 2. Non-root user ─────────────────────────────────────────────────────────`
			`# Check for USER directive`
			`if grep -qE '^USER\s' "$DOCKERFILE"; then`
			`USER_LINE=$(grep -E '^USER\s' "$DOCKERFILE" \| tail -1)`
			`USER_VALUE=$(echo "$USER_LINE" \| sed 's/^USER\s*//')`

			`# Check for 1000:1000 or variable-based UID:GID`
			`if echo "$USER_VALUE" \| grep -qE '^\$?\{?PUID\|1000:1000\|1000$'; then`
			`pass "Non-root user ($USER_VALUE)"`
			`else`
			`warn "Non-root user" "USER is '$USER_VALUE' — expected 1000:1000 or \${PUID}:\${PGID}"`
			`fi`
			`else`
			`# Check if docker-compose.yaml handles it via user: directive`
			`if [[ -f "docker-compose.yaml" ]] && grep -qE '^\s+user:' docker-compose.yaml; then`
			`warn "Non-root user" "No USER in Dockerfile but docker-compose.yaml sets user: — acceptable if always run via compose"`
			`else`
			`fail "Non-root user" "No USER directive found — container runs as root"`
			`fi`
			`fi`

			`# Check there's no USER root after the runtime stage`
			`RUNTIME_START=$(grep -nE '^FROM\s.+\sAS\s+runtime' "$DOCKERFILE" \| head -1 \| cut -d: -f1 \|\| true)`
			`if [[ -n "$RUNTIME_START" ]]; then`
			`if tail -n +"$RUNTIME_START" "$DOCKERFILE" \| grep -qE '^USER\s+root'; then`
			`fail "No root in runtime" "USER root found after runtime stage — never run as root in production"`
			`else`
			`pass "No root in runtime stage"`
			`fi`
			`fi`

			`# ── 3. No sensitive ENV baked in ──────────────────────────────────────────────`
			`SENSITIVE_PATTERNS='(API_KEY\|TOKEN\|SECRET\|PASSWORD\|CREDENTIAL\|PRIVATE_KEY\|AUTH)'`
			`BAKED_ENVS=$(grep -nE "^ENV\s+.*${SENSITIVE_PATTERNS}" "$DOCKERFILE" \|\| true)`
			`if [[ -n "$BAKED_ENVS" ]]; then`
			`fail "No baked secrets" "Sensitive ENV directives found in Dockerfile:"`
			`echo "$BAKED_ENVS" \| while IFS= read -r line; do`
			`echo " $line"`
			`done`
			`else`
			`pass "No baked secrets in ENV directives"`
			`fi`

			`# Check for ARG with defaults that look like secrets`
			`BAKED_ARGS=$(grep -nE "^ARG\s+.${SENSITIVE_PATTERNS}.=" "$DOCKERFILE" \|\| true)`
			`if [[ -n "$BAKED_ARGS" ]]; then`
			`warn "No baked ARG secrets" "ARG with sensitive defaults found (may leak via docker history):"`
			`echo "$BAKED_ARGS" \| while IFS= read -r line; do`
			`echo " $line"`
			`done`
			`else`
			`pass "No baked secrets in ARG defaults"`
			`fi`

			`# ── 4. HEALTHCHECK ────────────────────────────────────────────────────────────`
			`if grep -qE '^HEALTHCHECK\s' "$DOCKERFILE"; then`
			`pass "HEALTHCHECK directive present"`
			`if grep -qE '/health' "$DOCKERFILE"; then`
			`pass "HEALTHCHECK uses /health endpoint"`
			`else`
			`warn "HEALTHCHECK endpoint" "HEALTHCHECK doesn't reference /health — ensure it matches your health endpoint"`
			`fi`
			`else`
			`warn "HEALTHCHECK" "No HEALTHCHECK in Dockerfile — relying on docker-compose healthcheck only"`
			`fi`

			`# ── 5. Dependency layer caching ───────────────────────────────────────────────`
			`# Check that manifest files are copied before source (for layer caching)`
			`COPY_LINES=$(grep -nE '^COPY\s' "$DOCKERFILE" \|\| true)`
			`FIRST_MANIFEST_COPY=""`
			`FIRST_SOURCE_COPY=""`

			`while IFS= read -r line; do`
			`linenum=$(echo "$line" \| cut -d: -f1)`
			`content=$(echo "$line" \| cut -d: -f2-)`
			`if echo "$content" \| grep -qE '(pyproject\.toml\|package.*\.json\|Cargo\.(toml\|lock)\|go\.(mod\|sum)\|uv\.lock)'; then`
			`[[ -z "$FIRST_MANIFEST_COPY" ]] && FIRST_MANIFEST_COPY="$linenum"`
			`elif echo "$content" \| grep -qE '\.\s+\.\|src/\|lib/'; then`
			`[[ -z "$FIRST_SOURCE_COPY" ]] && FIRST_SOURCE_COPY="$linenum"`
			`fi`
			`done <<< "$COPY_LINES"`

			`if [[ -n "$FIRST_MANIFEST_COPY" && -n "$FIRST_SOURCE_COPY" ]]; then`
			`if [[ "$FIRST_MANIFEST_COPY" -lt "$FIRST_SOURCE_COPY" ]]; then`
			`pass "Dependency manifest copied before source (layer caching)"`
			`else`
			`warn "Layer caching" "Source copied before dependency manifest — swap order for better Docker layer caching"`
			`fi`
			`fi`

			`# ── Summary ───────────────────────────────────────────────────────────────────`
			`echo`
			`echo "Results: $PASS passed, $FAIL failed, $WARN warnings"`
			`[[ "$FAIL" -eq 0 ]] && echo "DOCKER SECURITY CHECK PASSED" && exit 0`
			`echo "DOCKER SECURITY CHECK FAILED" && exit 1`