🛡️ Sentinel: [CRITICAL] Fix insecure container initialization #7

google-labs-jules · 2026-01-05T10:05:15Z

This PR addresses a critical security vulnerability where the SoftEther VPN server was starting without a proper initialization script, potentially leaving the server with no admin password (default insecure state).

Changes:

Dockerfile:
- Added ENTRYPOINT ["/entrypoint.sh"] to ensure the initialization script runs.
- Copied copyables/entrypoint.sh to /entrypoint.sh and made it executable.
- Added bash and zip packages to the runtime image, as they are required by entrypoint.sh.
copyables/entrypoint.sh:
- Updated binary paths from /usr/bin/ to /usr/local/bin/ to match the Dockerfile's installation path.
- Updated the configuration file path to /var/lib/softether/vpn_server.config.

These changes ensure that on first run, the server generates a secure random password and configures basic security settings (IPsec, SecureNAT) as intended by the script logic.

PR created automatically by Jules for task 4531279144009745898 started by @bluPhy

Updated the Dockerfile to use the `entrypoint.sh` script, which handles secure initialization (generating random passwords for server and hub). Fixed paths in `entrypoint.sh` to match the actual installation location of SoftEther binaries (`/usr/local/bin`). Added necessary runtime dependencies (`bash`, `zip`) to the Docker image. This fixes a critical security issue where the container would previously start with a default insecure configuration (no admin password).

google-labs-jules · 2026-01-05T10:05:16Z

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

coderabbitai · 2026-01-05T10:05:22Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

wiz-inc-cc19e8696a-mycorpone · 2026-01-05T10:05:58Z

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	2 1 4 4
SAST Findings	-
Software Supply Chain Findings	-

Total	2 1 4 4

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

dockerfile