From 8ab4c994dbc50f6338f61358cb70c82c2de30cd5 Mon Sep 17 00:00:00 2001
From: Enderson Maia <endersonmaia@gmail.com>
Date: Thu, 15 Jan 2026 14:40:14 -0300
Subject: [PATCH 1/3] chore(sdk): use PostgreSQL's Docker Hardened Image

Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE    : Total: 139  (UNKNOWN: 4, LOW: 99, MEDIUM: 31, HIGH: 5, CRITICAL: 0)
AFTER     : Total: 78   (UNKNOWN: 5, LOW: 69, MEDIUM:  3, HIGH: 1, CRITICAL: 0)
---
 .github/workflows/sdk.yaml   |  7 +++++++
 packages/sdk/Dockerfile      | 13 +++++++++----
 packages/sdk/docker-bake.hcl |  4 +++-
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sdk.yaml b/.github/workflows/sdk.yaml
index 3d50630f..f0722553 100644
--- a/.github/workflows/sdk.yaml
+++ b/.github/workflows/sdk.yaml
@@ -83,6 +83,13 @@ jobs:
                   username: ${{ secrets.DOCKERHUB_USERNAME }}
                   password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+            - name: Login to Docker Hardened Registry
+              uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+              with:
+                  registry: dhi.io
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+
             - name: Build and push
               uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6.9.0
               if: ${{ !startsWith(github.ref, 'refs/tags/sdk@') }}
diff --git a/packages/sdk/Dockerfile b/packages/sdk/Dockerfile
index d153e7e8..2bc089de 100644
--- a/packages/sdk/Dockerfile
+++ b/packages/sdk/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker.io/docker/dockerfile:1
 ARG CARTESI_BASE_IMAGE
-ARG POSTGRES_BASE_IMAGE
+ARG POSTGRES_BASE_BUILD_IMAGE
+ARG POSTGRES_BASE_RUNTIME_IMAGE
 ARG NODE_VERSION
 
 ################################################################################
@@ -169,7 +170,7 @@ USER cartesi
 
 ################################################################################
 # postgresql initdb
-FROM ${POSTGRES_BASE_IMAGE} AS postgresql-initdb
+FROM ${POSTGRES_BASE_BUILD_IMAGE} AS postgresql-initdb
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
@@ -202,8 +203,12 @@ RUN /usr/local/bin/docker-ensure-initdb.sh postgres
 
 ################################################################################
 # rollups-database image
-FROM ${POSTGRES_BASE_IMAGE} AS rollups-database
-COPY --from=postgresql-initdb /var/lib/postgresql/data /var/lib/postgresql/data
+FROM ${POSTGRES_BASE_RUNTIME_IMAGE} AS rollups-database
+ARG POSTGRES_MAJOR_VERSION
+COPY --from=postgresql-initdb \
+    --chown=postgres:postgres \
+    --chmod=750 \
+    /var/lib/postgresql/data /var/lib/postgresql/${POSTGRES_MAJOR_VERSION}/data
 
 ################################################################################
 # alto build
diff --git a/packages/sdk/docker-bake.hcl b/packages/sdk/docker-bake.hcl
index 39c6ee77..ad01c407 100644
--- a/packages/sdk/docker-bake.hcl
+++ b/packages/sdk/docker-bake.hcl
@@ -20,7 +20,9 @@ target "default" {
     NITRO_VERSION                     = "8c376d4a5baa7f32999620f9fe3eb51ca8e0dcbc" # v0.5
     NODE_VERSION                      = "24.12.0"
     NVM_VERSION                       = "977563e97ddc66facf3a8e31c6cff01d236f09bd" # 0.40.3
-    POSTGRES_BASE_IMAGE               = "docker.io/library/postgres:17-trixie@sha256:4ad49a4ba70130eab1de69bdd7a212d9c711e7410f10e1a23aae41a325b95093"
+    POSTGRES_MAJOR_VERSION            = "17"
+    POSTGRES_BASE_BUILD_IMAGE         = "docker.io/library/postgres:17-trixie@sha256:4ad49a4ba70130eab1de69bdd7a212d9c711e7410f10e1a23aae41a325b95093"
+    POSTGRES_BASE_RUNTIME_IMAGE       = "dhi.io/postgres:17-debian13@sha256:26f948cfcce91d18beef8193e61fdae529650b462e644916e9ab433261602cef"
     SQUASHFS_TOOLS_VERSION            = "bad1d213ab6df587d6fa0ef7286180fbf7b86167" # 4.7.4
     SU_EXEC_VERSION                   = "0.3"
     XGENEXT2_VERSION                  = "1.5.6"

From 7f086882870725a7c6975ba090996c4b202bb21e Mon Sep 17 00:00:00 2001
From: Enderson Maia <endersonmaia@gmail.com>
Date: Thu, 15 Jan 2026 15:34:54 -0300
Subject: [PATCH 2/3] chore(sdk): use Debian's Docker Hardened Image

Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE: Total: 97 (UNKNOWN: 2, LOW: 82, MEDIUM: 13, HIGH: 0, CRITICAL: 0)
AFTER : Total: 88 (UNKNOWN: 2, LOW: 76, MEDIUM: 10, HIGH: 0, CRITICAL: 0)
---
 packages/sdk/Dockerfile      | 13 ++++++-------
 packages/sdk/docker-bake.hcl |  2 +-
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/packages/sdk/Dockerfile b/packages/sdk/Dockerfile
index 2bc089de..2d9fe79e 100644
--- a/packages/sdk/Dockerfile
+++ b/packages/sdk/Dockerfile
@@ -108,12 +108,10 @@ RUN <<EOF
 apt-get install -y --no-install-recommends \
     libslirp0 \
     lua5.4 \
+    passwd \
     xz-utils
-rm -rf /var/lib/apt/lists/*
-EOF
 
-RUN <<EOF
-set -e
+# create cartesi user
 useradd \
     --comment "cartesi user" \
     --no-create-home \
@@ -123,6 +121,9 @@ useradd \
     --uid 102 \
     --user-group \
     cartesi
+
+apt-get remove -y --purge passwd
+rm -rf /var/lib/apt/lists/*
 EOF
 
 # Install cartesi-machine emulator
@@ -265,9 +266,7 @@ apt-get install -y --no-install-recommends \
     liblzo2-2 \
     libslirp0 \
     locales \
-    lua5.4 \
-    xxd \
-    xz-utils
+    xxd
 rm -rf /var/lib/apt/lists/*
 EOF
 
diff --git a/packages/sdk/docker-bake.hcl b/packages/sdk/docker-bake.hcl
index ad01c407..74c73ff9 100644
--- a/packages/sdk/docker-bake.hcl
+++ b/packages/sdk/docker-bake.hcl
@@ -8,7 +8,7 @@ target "default" {
   args = {
     ALTO_VERSION                      = "1.2.5"
     ALTO_PACKAGE_VERSION              = "0.0.18"
-    CARTESI_BASE_IMAGE                = "docker.io/library/debian:trixie-20260112-slim@sha256:e9f1b0bda36daad09fcd6779f7af47191dbee4ff52f8903fffd15240eb986bd8"
+    CARTESI_BASE_IMAGE                = "dhi.io/debian-base:trixie@sha256:1244523a2f7b6c096c6f98ce0349df6798c775c57322c51f8a4982daf60c256c"
     CARTESI_DEVNET_VERSION            = "2.0.0-alpha.9"
     CARTESI_IMAGE_KERNEL_VERSION      = "0.20.0"
     CARTESI_LINUX_KERNEL_VERSION      = "6.5.13-ctsi-1-v0.20.0"

From 99990bf15115b67fb15dd6ab840e40a6f7937395 Mon Sep 17 00:00:00 2001
From: Enderson Maia <endersonmaia@gmail.com>
Date: Thu, 15 Jan 2026 16:35:17 -0300
Subject: [PATCH 3/3] refactor(sdk): reuse previous foundry download

---
 packages/sdk/Dockerfile | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/packages/sdk/Dockerfile b/packages/sdk/Dockerfile
index 2d9fe79e..2ea3e757 100644
--- a/packages/sdk/Dockerfile
+++ b/packages/sdk/Dockerfile
@@ -66,6 +66,7 @@ ARG FOUNDRY_VERSION
 ARG TARGETARCH
 ARG TARGETOS
 RUN <<EOF
+mkdir -p /usr/local/bin
 curl -fsSL https://github.com/foundry-rs/foundry/releases/download/v${FOUNDRY_VERSION}/foundry_v${FOUNDRY_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz \
   -o /tmp/foundry.tar.gz
 case "${TARGETARCH}" in
@@ -216,13 +217,11 @@ COPY --from=postgresql-initdb \
 FROM node:${NODE_VERSION} AS alto
 ARG ALTO_VERSION
 ARG NODE_VERSION
-ARG FOUNDRY_VERSION
 ARG TARGETARCH
 ARG TARGETOS
 
 # install foundry, necessary for building alto
-RUN curl -fsSL https://github.com/foundry-rs/foundry/releases/download/v${FOUNDRY_VERSION}/foundry_v${FOUNDRY_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz \
-    | tar -zx -C /usr/local/bin
+COPY --from=foundry /usr/local/bin/forge /usr/local/bin/forge
 
 WORKDIR /app
 COPY alto.patch /app/alto.patch