Sentinel: 🛡️ Restore secure entrypoint for random password generation #5
Conversation
CRITICAL FIX: The previous Dockerfile bypassed the initialization script, causing the VPN server to start with NO admin password (default insecure state). This change: 1. Restores `entrypoint.sh` to generate a secure random admin password on first run. 2. Fixes binary paths in `entrypoint.sh` and `gencert.sh` (from `/usr/bin` to `/usr/local/bin`). 3. Installs `bash` and `unzip` required by the initialization scripts. 4. Ensures the server is securely configured before accepting connections.
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![wiz-inc-cc19e8696a-mycorpone[bot]](https://avatars.githubusercontent.com/u/11618798?s=60&v=4){kind=small}
There was a problem hiding this comment.
Unpinned Package Version in Apk Add
on resource FROM alpine AS builder.RUN apk add binutils --no-cache linux-headers build-base readline-dev openssl-dev ncurses-dev git cmake zlib-dev libsodium-dev gnu-libiconv
More Details
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Expected
RUN instruction with 'apk add <package>' should use package pinning form 'apk add <package>=<version>'
Found
RUN instruction apk add binutils --no-cache linux-headers build-base readline-dev openssl-dev ncurses-dev git cmake zlib-dev libsodium-dev gnu-libiconv does not use package pinning form
Rule ID: de9db1cd-52cd-46cf-aea4-2a363f47d7e8
There was a problem hiding this comment.
Image Version Not Explicit
on resource FROM alpine
More Details
Always tag the version of an image explicitly
Expected
FROM alpine:'version'
Found
FROM alpine
Rule ID: c06eea37-bf19-404d-9964-9508a90c984b
There was a problem hiding this comment.
Missing User Instruction
on resource Dockerfile
More Details
This rule checks whether a `USER` instruction is specified in the Dockerfile. The rule fails when the `USER` instruction is missing, causing the container to run with root privileges (UID 0). If an attacker compromises an application running as root, they gain the privileges needed to potentially escape the container and attack the host node. It also increases the blast radius of a breach, allowing full control to modify files or install malware within the container. Enforcing a non-root user is a fundamental security measure that minimizes the attack surface and contains the impact of a potential compromise.
Expected
The multi-stage Dockerfile should contain at least one 'USER' instruction
Found
The multi-stage Dockerfile does not contain any 'USER' instruction
Security Frameworks: wf-id-264, c7d2843b-ff83-4115-823e-a440e5c9b434, fcb43ca7-1138-43c6-af95-fe30190b00f7, 9bc0c54d-4a51-4dbc-8ae6-890bc8c96f68, e24345c2-b2f7-40d2-9067-d71280d443d8
Rule ID: e24d894e-a4db-4b8d-98cc-38d5825e1c7a
There was a problem hiding this comment.
RUN Instruction Using 'cd' Instead of WORKDIR
on resource FROM alpine AS builder.RUN cd SoftEtherVPN && git submodule init && git submodule update && ./configure && make -j $(getconf _NPROCESSORS_ONLN) -C build
More Details
Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.
Expected
Using WORKDIR to change directory
Found
RUN cd SoftEtherVPN && git submodule init && git submodule update && ./configure && make -j $(getconf _NPROCESSORS_ONLN) -C build
Rule ID: 68315656-f749-42d0-928a-e618c8d4eea6
There was a problem hiding this comment.
YALI - Docker image should be fetched from an approved registry
on resource FROM alpine
More Details
... Use this rule to alert on disapproved image registries
Expected
Base image must be from an authorized repository.
Found
Base image 'alpine' is not from an authorized repository.
Rule ID: 26c050b2-2b7f-49b4-b453-fb0782f26145
There was a problem hiding this comment.
Unpinned Package Version in Apk Add
on resource FROM alpine AS base.RUN apk add --no-cache readline openssl libsodium gnu-libiconv iptables bash unzip
More Details
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Expected
RUN instruction with 'apk add <package>' should use package pinning form 'apk add <package>=<version>'
Found
RUN instruction apk add --no-cache readline openssl libsodium gnu-libiconv iptables bash unzip does not use package pinning form
Rule ID: de9db1cd-52cd-46cf-aea4-2a363f47d7e8
There was a problem hiding this comment.
Healthcheck Instruction Missing
on resource FROM alpine AS base
More Details
Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Expected
Dockerfile should contain instruction 'HEALTHCHECK'
Found
Dockerfile doesn't contain instruction 'HEALTHCHECK'
Security Frameworks: wf-id-264, e24345c2-b2f7-40d2-9067-d71280d443d8
Rule ID: 6cce840b-7867-4f9d-81b7-54b35433d327
There was a problem hiding this comment.
Healthcheck Instruction Missing
on resource FROM alpine AS builder
More Details
Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Expected
Dockerfile should contain instruction 'HEALTHCHECK'
Found
Dockerfile doesn't contain instruction 'HEALTHCHECK'
Security Frameworks: wf-id-264, e24345c2-b2f7-40d2-9067-d71280d443d8
Rule ID: 6cce840b-7867-4f9d-81b7-54b35433d327
There was a problem hiding this comment.
**ALPA - Docker file base image not from private registry **
on resource FROM alpine
More Details
Expected
Base image must come from a validated private repository
Found
Base image 'alpine' is not from a validated source
Rule ID: f357b217-8b04-4a58-82ee-f0f874eb0627
| COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src/SoftEtherVPN/build/libmayaqua.so /usr/local/lib/ | ||
|
|
||
|
|
||
| FROM base AS vpnserver |
There was a problem hiding this comment.
**ALPA - Docker file base image not from private registry **
on resource FROM base
More Details
Expected
Base image must come from a validated private repository
Found
Base image 'base' is not from a validated source
Rule ID: f357b217-8b04-4a58-82ee-f0f874eb0627
| COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src/SoftEtherVPN/build/libmayaqua.so /usr/local/lib/ | ||
|
|
||
|
|
||
| FROM base AS vpnserver |
There was a problem hiding this comment.
Healthcheck Instruction Missing
on resource FROM base AS vpnserver
More Details
Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Expected
Dockerfile should contain instruction 'HEALTHCHECK'
Found
Dockerfile doesn't contain instruction 'HEALTHCHECK'
Security Frameworks: wf-id-264, e24345c2-b2f7-40d2-9067-d71280d443d8
Rule ID: 6cce840b-7867-4f9d-81b7-54b35433d327
Sentinel: 🛡️ Restore secure entrypoint for random password generation
🚨 Severity: CRITICAL
💡 Vulnerability: The Docker image was starting
vpnserverdirectly without running the initialization script. By default, SoftEther VPN Server has no admin password. This meant any instance deployed from this image was publicly accessible and controllable by anyone usingvpncmd.🎯 Impact: Complete compromise of the VPN server, allowing attackers to reconfigure the network, intercept traffic, or use the server as a relay.
🔧 Fix:
dockerfileto includeentrypoint.shand set it asENTRYPOINT.bash,unzip).entrypoint.shandgencert.shto match the actual binary locations (/usr/local/bin)./var/lib/softether/vpn_server.config.✅ Verification: Verified script syntax with
bash -n. The logic ensures that if no config exists, a random password is generated and set, preventing the default empty password state.PR created automatically by Jules for task 2990267082152471527 started by @bluPhy