Migrate Dockerfile to Docker Hardened Images (DHI)

[nanotaboada]

Problem

The current Dockerfile uses mcr.microsoft.com/dotnet/sdk:10.0 (builder) and mcr.microsoft.com/dotnet/aspnet:10.0 (runtime), both Debian-based, which carry known CVEs and a larger attack surface than necessary for production deployments.

Pain points with the current approach:

• CVEs in base images requiring constant monitoring and patching
• No built-in SBOM (Software Bill of Materials) or provenance attestations
• No formal security compliance certifications (SLSA, CIS benchmarks)
• Larger attack surface from unnecessary packages in the Debian base
• Manual effort required to stay current with security updates

Proposed Solution

Migrate the Dockerfile to use Docker Hardened Images (DHI) — Docker's official minimal, security-hardened base images — for both stages.

DHI provides:

• Up to 95% reduction in attack surface vs. standard images
• Near-zero CVEs, actively maintained by Docker's security team
• Built-in SBOM, provenance attestations, SLSA Build Level 3
• Free and open source (Apache 2.0)

Expected behavior after implementation:

• Application continues to function identically
• Dramatically reduced vulnerability count in base images
• Full supply chain transparency with built-in attestations

Suggested Approach

1. Update base images

Builder stage:

# Replace:
FROM mcr.microsoft.com/dotnet/sdk:10.0 AS builder

# With:
FROM dhi.io/dotnet/sdk:10.0-debian13-dev AS builder

Runtime stage:

# Replace:
FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS runtime

# With:
FROM dhi.io/dotnet/aspnet:10.0-debian13 AS runtime

2. Adapt health check

DHI runtime images are minimal and do not include curl by default. The current apt-get install curl layer should be removed or replaced.

Option A (recommended): Replace curl with a .NET-based HTTP call in healthcheck.sh:

#!/bin/sh
dotnet-httpclient http://localhost:9000/health || exit 1

Or use wget if available in the DHI variant.

Option B: Install curl explicitly in the runtime stage (verify availability in DHI Debian variant).

3. Key files to modify

• Dockerfile — update base images, replace apt-get curl install
• scripts/healthcheck.sh — adapt health check if removing curl
• .github/workflows/dotnet.yml — update CI/CD if dhi.io authentication is needed

4. Architecture considerations

• Multi-stage build preserved
• Non-root aspnetcore user maintained
• /storage volume mount unchanged
• No application code changes required

Note: relationship to other Docker optimization issues

This issue focuses on security hardening. A separate issue covers switching the runtime to aspnet:10.0-alpine for a ~100–150 MB size reduction. Both can be implemented together or sequentially.

Acceptance Criteria

• Application builds successfully using DHI base images
• All existing endpoints function identically
• Container starts, serves on port 9000, and stops correctly
• Health check passes consistently
• Volume mount (/storage) works correctly
• Non-root user (aspnetcore) has correct permissions
• Docker Scout scan shows significantly reduced CVE count vs. previous image
• SBOM is present and complete (docker buildx imagetools inspect --format "{{json .SBOM}}")
• Provenance attestations are verifiable
• All CI tests pass against the new image

References

• DHI Official Documentation
• DHI Quickstart Guide
• DHI Migration Guide
• DHI .NET Images catalog
• Docker Scout comparison tool

[coderabbitai]

🔗 Related PRs

#230 - feat: add multi-stage Dockerfile for building and running app [merged]
#231 - feat(ci): update workflow to build and publish Docker image to GHCR [merged]
#316 - ci: migrate Azure Pipeline from Windows/MSBuild to Linux/.NET CLI [merged]
#371 - feat: upgrade to .NET 10 LTS (#368) [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[nanotaboada]

After further review, we've decided not to implement this change.

The security and compliance benefits of Docker Hardened Images (SBOM, provenance attestations, SLSA Build Level 3) are well-suited for production systems with formal compliance requirements. However, this project is educational in nature — the primary artifact is the source code, not the container image. The tradeoff doesn't justify the added friction:

• Rebuilding the image locally requires a one-time docker login dhi.io, since dhi.io requires authentication even for public images — unlike standard Docker Hub pulls
• Two additional CI/CD secrets (DHI_USERNAME / DHI_PASSWORD) to maintain across all six repos
• Introduces a dependency on a third-party registry (dhi.io) with its own availability surface

The existing Alpine-based images remain lean and sufficient for the project's goals. Closing as wontfix.