[FEATURE] Migrate Dockerfile to Docker Hardened Images (DHI) #457
Description
Problem
The current Dockerfile uses the standard python:3.13.3-slim-bookworm base image, which contains 152 known vulnerabilities and a larger attack surface than necessary for production deployments. As security requirements become more stringent and compliance becomes increasingly important, we need a more secure, minimal, and actively maintained base image solution.
Pain points with the current approach:
- High number of CVEs in base images requiring constant monitoring and patching
- Lack of built-in SBOM (Software Bill of Materials) and provenance attestations
- No formal security compliance certifications (SLSA, CIS benchmarks)
- Larger attack surface due to unnecessary packages in the base image
- Manual effort required to stay current with security updates
Proposed Solution
Migrate the application's Dockerfile to use Docker Hardened Images (DHI) - Docker's official, minimal, and secure container base images. DHI provides:
- Up to 95% reduction in attack surface compared to standard images
- Near-zero CVEs actively maintained by Docker's security team
- Built-in compliance artifacts: SBOM, provenance attestations, SLSA Build Level 3
- Free and open source under Apache 2.0 license
- Drop-in replacement for existing Python images with minimal code changes
Expected behavior after implementation:
- Application continues to function identically
- Dramatically reduced vulnerability count in base images
- Automatic security updates and patching by Docker
- Enhanced security posture for production deployments
- Full supply chain transparency with built-in attestations
Suggested Approach
Technical Implementation Plan
1. Update Base Images
Builder Stage:
# Replace:
FROM python:3.13.3-slim-bookworm AS builder
# With:
FROM dhi.io/python:3.13-debian13-dev AS builderRuntime Stage:
# Replace:
FROM python:3.13.3-slim-bookworm AS runtime
# With:
FROM dhi.io/python:3.13-debian13 AS runtime2. Remove Redundant Build Dependencies
The DHI -dev variant already includes build tools, so remove this section from the builder stage:
# REMOVE THIS (already included in -dev image):
RUN apt-get update && \
apt-get install -y --no-install-recommends build-essential gcc libffi-dev libssl-dev && \
rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*.deb3. Update Health Check Implementation
Since DHI runtime images are minimal (distroless-style) and don't include curl by default, we need to adapt the health check.
Option A (Recommended): Python-based health check
Add a health endpoint to main.py:
@app.get("/health")
async def health():
return {"status": "healthy", "version": "1.0.0"}Update Dockerfile health check:
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
CMD ["python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:9000/health')"]Option B: Install curl if absolutely necessary
# In runtime stage, before USER fastapi
RUN apt-get update && apt-get install -y --no-install-recommends curl && \
rm -rf /var/lib/apt/lists/*4. Update scripts/healthcheck.sh (if using Option A)
Modify to use Python instead of curl:
#!/bin/sh
python -c "import urllib.request; import sys; urllib.request.urlopen('http://localhost:9000/health'); sys.exit(0)" || exit 15. Key Files to Modify
Dockerfile- Primary changes for base images and build processmain.py- Add/healthendpoint (if using Option A)scripts/healthcheck.sh- Update health check logicREADME.md- Document DHI usage and benefits.github/workflows/*.yml- Update CI/CD if authentication todhi.iois needed
6. Architecture Considerations
- Multi-stage build preserved: Builder stage uses
-devvariant, runtime uses minimal variant - Non-root user maintained: DHI images run as non-root by default; our explicit
fastapiuser is kept for consistency - Storage volume approach unchanged:
/storagemount point works identically - No application code changes required: Only infrastructure changes
7. Docker Registry Strategy
Phase 1: Direct Pull (Immediate)
# Authenticate to DHI registry
docker login dhi.io
# Use Docker Hub credentialsPhase 2: Mirror to Organization (Optional, for customization)
# Mirror DHI to your Docker Hub namespace
docker pull dhi.io/python:3.13-debian13
docker tag dhi.io/python:3.13-debian13 <your-org>/dhi-python:3.13-debian13
docker push <your-org>/dhi-python:3.13-debian13Acceptance Criteria
Functional Requirements
- Application builds successfully using DHI base images
- All existing functionality works identically (API endpoints, database access, file operations)
- Container starts and stops correctly
- Health check passes consistently
- Application serves requests on port 9000
- Volume mounts work correctly (
/storagedirectory) - Non-root user (
fastapi) operates without permission issues
Security & Compliance
- Docker Scout scan shows significantly reduced CVE count compared to previous image
- SBOM is available and complete (
docker buildx imagetools inspect --format "{{json .SBOM}}") - Provenance attestations are present
- Image signatures are verifiable
- No critical or high severity vulnerabilities in base image
Testing & Validation
- Unit tests pass in new container
- Integration tests pass
- Load testing shows no performance regression
- Health check endpoint responds correctly
- Container logs are captured correctly
- Application metrics/monitoring continue to work
Documentation
- README.md updated with DHI information
- Dockerfile includes comments explaining DHI usage
- Migration guide added to documentation
- CI/CD pipeline documentation updated if authentication changes required
Rollback Plan
- Previous Dockerfile backed up as
Dockerfile.legacy - Rollback procedure documented
- Ability to quickly revert to standard Python images if needed
References
Docker Hardened Images Documentation
Security & Compliance
Related Issues
- Security audit findings (if applicable)
- Compliance requirements tracking (if applicable)
- Previous vulnerability remediation efforts