fix: harden docker deployment defaults by bbingz · Pull Request #3897 · siteserver/cms

bbingz · 2026-05-30T22:58:06Z

This is a smaller Docker-only slice split out of the broader security hardening draft PR (#3895).

Changes:

pin .NET and nginx container base images by digest
run .NET containers as the built-in non-root user and nginx as nginx
add Docker health checks
update nginx to listen on an unprivileged container port
require explicit compose secrets via environment variables instead of checked-in defaults
document the revised Docker usage

Validation run locally:

docker build --target final -t sscms-root-docker-split-check . -> passed; current master dependency warning for HtmlSanitizer is still present because this PR intentionally does not include dependency updates
docker build -f docker/Dockerfile.core -t sscms-core-docker-split-check docker -> passed
docker build -f docker/Dockerfile.nginx -t sscms-nginx-docker-split-check docker -> passed
docker compose -f docker/mysql/docker-compose.yml config with placeholder env -> passed
docker compose -f docker/postgres/docker-compose.yml config with placeholder env -> passed
docker compose -f docker/cluster/docker-compose.yml config with placeholder env -> passed
docker run --rm --add-host sscms:127.0.0.1 sscms-nginx-docker-split-check nginx -t -> passed
trivy config --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --format table . -> 0 Dockerfile misconfigurations

fix: harden docker deployment defaults

9cb0037

bbingz mentioned this pull request May 30, 2026

Security hardening for authentication, uploads, and public endpoints #3895

Draft

Provide feedback