-
Notifications
You must be signed in to change notification settings - Fork 66.9k
Expand file tree
/
Copy pathdevcontainer.hardened.json
More file actions
69 lines (62 loc) · 2.53 KB
/
devcontainer.hardened.json
File metadata and controls
69 lines (62 loc) · 2.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
// Hardened devcontainer configuration for enhanced security
// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
// https://github.com/microsoft/vscode-dev-containers/tree/v0.177.0/containers/javascript-node
// - Security hardened version with minimal features and restricted access
{
"name": "docs.github.com (Security Hardened)",
"build": {
"dockerfile": "Dockerfile.hardened",
// Use specific Node version instead of generic variant
"args": { "VARIANT": "22" }
},
// Minimal features - removed SSH daemon for security
"features": {
// Only essential GitHub CLI, pinned to specific version
"ghcr.io/devcontainers/features/github-cli:1": {
"version": "2.40.1"
}
},
"customizations": {
"vscode": {
// Set *default* container specific settings.json values on container create.
"settings": {
"terminal.integrated.shell.linux": "/bin/bash",
"cSpell.language": ",en",
// Disable auto-fetch for security - manual fetching required
"git.autofetch": false
},
// Minimal essential extensions only - removed potential security risks
"extensions": [
"dbaeumer.vscode-eslint",
"sissel.shopify-liquid",
"davidanson.vscode-markdownlint",
"bierner.markdown-preview-github-styles",
"streetsidesoftware.code-spell-checker"
// Removed extensions that could pose security risks:
// - Custom extensions that might have privileged access
// - GitHub Copilot extensions (can be added manually if needed)
]
}
// Removed codespaces repository permissions for security
// External repository access must be granted manually
},
// Use 'forwardPorts' to make a list of ports inside the container available locally.
"forwardPorts": [4000],
"portsAttributes": {
"4000": {
"label": "Review"
}
},
// Security hardened lifecycle commands - minimal automatic execution
// Manual setup required for enhanced security
"onCreateCommand": "echo 'Security hardened container created. Run npm ci manually to install dependencies.'",
// Removed automatic npm start for security - manual startup required
// Removed automatic port visibility command - manual configuration required
// Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
"remoteUser": "node",
// Reduced resource requirements for security-focused lightweight setup
"hostRequirements": {
"memory": "8gb",
"cpus": "2"
}
}