From 1e4cbe45bdcaea8f107956f26940b5867adf9c19 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 2 Feb 2026 01:18:52 +0000 Subject: [PATCH 1/4] feat: Add container security audit report This commit introduces a new file, AUDIT-CONTAINERS.md, which contains a security audit of the PHP container setup. The audit covers the following areas: - PHP configuration security - Base image vulnerabilities - Permission model - Secret injection - Network exposure For each area, the report provides findings, assesses the risks, and offers recommendations for improvement. Co-authored-by: Snider <631881+Snider@users.noreply.github.com> --- AUDIT-CONTAINERS.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 AUDIT-CONTAINERS.md diff --git a/AUDIT-CONTAINERS.md b/AUDIT-CONTAINERS.md new file mode 100644 index 0000000..1c41355 --- /dev/null +++ b/AUDIT-CONTAINERS.md @@ -0,0 +1,43 @@ +# Container Security Audit + +This document outlines the findings of a security audit of the PHP container setup. + +## PHP configuration security + +**Finding:** The PHP-FPM status and ping pages are enabled and exposed by Nginx. Access is restricted to localhost, which is a good security measure. + +**Risk:** While currently secure, this configuration could become a risk if the Nginx access controls are inadvertently loosened. These pages can leak information about server performance and status. + +**Recommendation:** If the FPM status and ping pages are not actively used for monitoring in the production environment, it is recommended to disable them in the `fpm-pool.conf.template` to reduce the potential attack surface. + +## Base image vulnerabilities + +**Finding:** The `Dockerfile` uses a floating tag (`:3.22`) for the Alpine base image. + +**Risk:** This practice can lead to unexpected behavior and security vulnerabilities, as the image referenced by the tag can be updated at any time. Builds are not guaranteed to be reproducible. + +**Recommendation:** Pin the base image to a specific digest (e.g., `alpine:3.22@sha256:...`) to ensure that the same version of the base image is used every time the container is built. This can be done by first pulling the desired tag, then finding its digest with `docker images --digests`. + +## Permission model + +**Finding:** The container correctly drops privileges to the `nobody` user. The `listen.mode` for the PHP-FPM socket is set to `0666`. + +**Risk:** The `0666` permission is world-writable, which is slightly more permissive than necessary. While the risk is low since the socket is contained and accessed by Nginx running as the same user, it's a good practice to use the most restrictive permissions possible. + +**Recommendation:** Acknowledge the good practice of running as a non-root user. For hardening, consider changing `listen.mode` to `0660`. + +## Secret injection + +**Finding:** The `entrypoint.sh` script uses `envsubst` to inject environment variables into configuration files. + +**Risk:** If secrets are passed as environment variables, this method writes them directly into the configuration files on the container's filesystem. This increases the attack surface, as anyone with access to the container image or running container's filesystem could potentially read these secrets. + +**Recommendation:** Avoid using `envsubst` for secrets. Instead, use a more secure mechanism like Docker secrets, which mounts secrets as files in `/run/secrets/`. The application can then be configured to read secrets from these files directly. This is a more secure pattern supported by container orchestrators. + +## Network exposure + +**Finding:** The production `docker-compose.yaml` uses an ambiguous port mapping: `ports: - "80"`. + +**Risk:** This maps the container's port 80 to a random high-numbered port on the host machine. This is unpredictable and could expose the service on an unintended port, potentially bypassing firewall rules. + +**Recommendation:** Use an explicit port mapping to define the host and container ports, such as `"80:80"`. If the service should not be exposed publicly, consider binding it to the loopback interface, for example: `"127.0.0.1:80:80"`. From b8e559bc9aa6fbd89e613819d551cd9bc78efaec Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 2 Feb 2026 01:26:05 +0000 Subject: [PATCH 2/4] fix: Make Dockerfile symlink creation idempotent This commit fixes a CI build failure by making the creation of the `/usr/bin/php` symlink idempotent. The `ln -s` command was failing in some build matrix configurations where the symlink was already being created by the `php` package. By changing the command to `ln -sf`, the symlink is now forced, overwriting it if it already exists and preventing the build from failing. Co-authored-by: Snider <631881+Snider@users.noreply.github.com> --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a0e99ca..2d001a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN apk add --no-cache \ php${PHP_VERSION}-tokenizer # Create php symlink -RUN ln -s /usr/bin/php${PHP_VERSION} /usr/bin/php +RUN ln -sf /usr/bin/php${PHP_VERSION} /usr/bin/php # Install Composer RUN curl -sS https://getcomposer.org/installer | php -- \ @@ -112,7 +112,7 @@ RUN apk add --no-cache \ gettext # Create php symlink -RUN ln -s /usr/bin/php${PHP_VERSION} /usr/bin/php +RUN ln -sf /usr/bin/php${PHP_VERSION} /usr/bin/php WORKDIR /var/www/html From a3ec11c38792083c1a36b36a66f78a56f2fb092b Mon Sep 17 00:00:00 2001 From: Snider <631881+Snider@users.noreply.github.com> Date: Mon, 2 Feb 2026 01:39:01 +0000 Subject: [PATCH 3/4] feat: Add container security audit report This commit introduces a new file, AUDIT-CONTAINERS.md, which contains a security audit of the PHP container setup. The audit covers the following areas: - PHP configuration security - Base image vulnerabilities - Permission model - Secret injection - Network exposure For each area, the report provides findings, assesses the risks, and offers recommendations for improvement. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2d001a1..a0e99ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN apk add --no-cache \ php${PHP_VERSION}-tokenizer # Create php symlink -RUN ln -sf /usr/bin/php${PHP_VERSION} /usr/bin/php +RUN ln -s /usr/bin/php${PHP_VERSION} /usr/bin/php # Install Composer RUN curl -sS https://getcomposer.org/installer | php -- \ @@ -112,7 +112,7 @@ RUN apk add --no-cache \ gettext # Create php symlink -RUN ln -sf /usr/bin/php${PHP_VERSION} /usr/bin/php +RUN ln -s /usr/bin/php${PHP_VERSION} /usr/bin/php WORKDIR /var/www/html From 2642a4092ad49ec94cc5e21a953a76e57962a2b2 Mon Sep 17 00:00:00 2001 From: Snider <631881+Snider@users.noreply.github.com> Date: Mon, 2 Feb 2026 02:03:15 +0000 Subject: [PATCH 4/4] feat: Add container security audit report This commit introduces a new file, AUDIT-CONTAINERS.md, which contains a security audit of the PHP container setup. The audit covers the following areas: - PHP configuration security - Base image vulnerabilities - Permission model - Secret injection - Network exposure For each area, the report provides findings, assesses the risks, and offers recommendations for improvement. --- Dockerfile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index a0e99ca..bd5ff34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN apk add --no-cache \ php${PHP_VERSION}-tokenizer # Create php symlink -RUN ln -s /usr/bin/php${PHP_VERSION} /usr/bin/php +RUN ln -sf /usr/bin/php${PHP_VERSION} /usr/bin/php # Install Composer RUN curl -sS https://getcomposer.org/installer | php -- \ @@ -91,7 +91,6 @@ RUN apk add --no-cache \ php${PHP_VERSION}-intl \ php${PHP_VERSION}-mbstring \ php${PHP_VERSION}-mysqli \ - php${PHP_VERSION}-opcache \ php${PHP_VERSION}-openssl \ php${PHP_VERSION}-pdo \ php${PHP_VERSION}-pdo_mysql \ @@ -111,8 +110,13 @@ RUN apk add --no-cache \ ca-certificates \ gettext +# Conditionally install opcache for older PHP versions +RUN if [ "${PHP_VERSION}" -lt 85 ]; then \ + apk add --no-cache php${PHP_VERSION}-opcache; \ + fi + # Create php symlink -RUN ln -s /usr/bin/php${PHP_VERSION} /usr/bin/php +RUN ln -sf /usr/bin/php${PHP_VERSION} /usr/bin/php WORKDIR /var/www/html