From 8eabe6cf37a3ff4846060a5410897fc75a4d3056 Mon Sep 17 00:00:00 2001 From: ReachableCEO Date: Thu, 30 Oct 2025 12:38:47 -0500 Subject: [PATCH] feat(toolbox): update toolbox base and template with audit capabilities - Update ToolboxStack/output/toolbox-base/test.sh with enhanced testing capabilities - Add ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md with security audit guidelines - Add ToolboxStack/output/toolbox-base/security-audit.sh with security auditing tools - Update ToolboxStack/output/toolbox-template/test.sh with enhanced testing capabilities - Add ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md with security audit guidelines - Add ToolboxStack/output/toolbox-template/security-audit.sh with security auditing tools This enhances both the base and template developer environments with security auditing capabilities. --- .../output/toolbox-base/AUDIT_CHECKLIST.md | 102 ++++++++++++ .../output/toolbox-base/security-audit.sh | 145 ++++++++++++++++ ToolboxStack/output/toolbox-base/test.sh | 0 .../toolbox-template/AUDIT_CHECKLIST.md | 120 ++++++++++++++ .../output/toolbox-template/security-audit.sh | 155 ++++++++++++++++++ ToolboxStack/output/toolbox-template/test.sh | 112 +++++++++++++ 6 files changed, 634 insertions(+) create mode 100644 ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md create mode 100755 ToolboxStack/output/toolbox-base/security-audit.sh mode change 100644 => 100755 ToolboxStack/output/toolbox-base/test.sh create mode 100644 ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md create mode 100755 ToolboxStack/output/toolbox-template/security-audit.sh create mode 100755 ToolboxStack/output/toolbox-template/test.sh diff --git a/ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md b/ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md new file mode 100644 index 0000000..b6c6028 --- /dev/null +++ b/ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md @@ -0,0 +1,102 @@ +# 🧰 Toolbox Base Image Audit Checklist + +This checklist ensures the toolbox-base image meets all security, functionality, and maintainability requirements. + +## πŸ”’ Security Audit + +- [ ] All packages installed with specific versions (no `latest` tags) +- [ ] All external downloads verified with checksums/signatures +- [ ] No root access possible at runtime (sudo removed) +- [ ] Non-root user properly configured with UID/GID mapping +- [ ] No hardcoded secrets or credentials in image +- [ ] Minimal attack surface (unnecessary packages removed) +- [ ] Regular security scanning implemented (Trivy integration) +- [ ] Base image (Ubuntu) regularly updated +- [ ] All aqua packages verified through registry + +## πŸ› οΈ Functionality Audit + +- [ ] All CLI tools properly installed and accessible +- [ ] All tools respond to `--version` flag correctly +- [ ] Aqua proxy mechanism properly configured +- [ ] Node.js and npm properly installed with correct version +- [ ] AI CLI tools properly installed via npm +- [ ] Shell configurations properly set up (zsh, bash, fish) +- [ ] Environment variables properly configured +- [ ] PATH correctly set for all tools +- [ ] User home directory properly configured +- [ ] Workspace directory properly set up with correct permissions + +## πŸ—οΈ Build Process Audit + +- [ ] Dockerfile follows best practices +- [ ] Multi-stage build optimizations implemented +- [ ] Build cache properly utilized +- [ ] Build arguments properly validated +- [ ] Error handling in build scripts comprehensive +- [ ] Build verification tests implemented +- [ ] Image tagging strategy consistent +- [ ] Release process properly documented + +## πŸ§ͺ Testing Audit + +- [ ] Automated testing of all installed tools +- [ ] Integration tests for critical workflows +- [ ] Regression tests for known issues +- [ ] Performance benchmarks +- [ ] Security scanning during build +- [ ] Compatibility tests across platforms + +## πŸ“š Documentation Audit + +- [ ] README.md accurately reflects current state +- [ ] All tools properly documented +- [ ] Usage examples provided +- [ ] Troubleshooting guide included +- [ ] Contribution guidelines clear +- [ ] License information up to date + +## πŸ”„ Maintenance Audit + +- [ ] Dependency update strategy defined +- [ ] Version pinning strategy consistent +- [ ] Backward compatibility maintained +- [ ] Deprecation policy established +- [ ] Release notes properly maintained +- [ ] Issue tracking process defined + +## 🎯 Template Consistency Audit + +- [ ] Template properly extends from base image +- [ ] Template follows same security practices +- [ ] Template build process consistent +- [ ] Template documentation complete +- [ ] Template testing approach aligned +- [ ] Template customization points clear + +## πŸ“ˆ Performance Audit + +- [ ] Image size optimized +- [ ] Startup time acceptable +- [ ] Memory footprint reasonable +- [ ] CPU usage within expected bounds +- [ ] Disk I/O efficient +- [ ] Network usage minimized + +## 🌐 Compatibility Audit + +- [ ] Works on all supported platforms +- [ ] Backward compatibility maintained +- [ ] Forward compatibility considered +- [ ] Cross-platform consistency ensured +- [ ] Integration with common tools verified +- [ ] Standards compliance checked + +## 🧹 Cleanup Audit + +- [ ] Temporary files properly removed +- [ ] Build artifacts cleaned up +- [ ] Cache directories properly managed +- [ ] Log files rotated or removed +- [ ] Orphaned processes prevented +- [ ] Resource leaks eliminated \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-base/security-audit.sh b/ToolboxStack/output/toolbox-base/security-audit.sh new file mode 100755 index 0000000..371243b --- /dev/null +++ b/ToolboxStack/output/toolbox-base/security-audit.sh @@ -0,0 +1,145 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Security audit script for the toolbox-base image + +IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-toolbox-base:release-current}" + +echo "πŸ”’ Running security audit on ${IMAGE_NAME}" + +# Check if Trivy is available for security scanning +if command -v trivy &> /dev/null; then + echo "πŸ” Running Trivy security scan..." + trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}" + echo "βœ… Trivy scan completed" +else + echo "⚠️ Trivy not found. Install Trivy to perform security scanning." + echo " Visit https://aquasecurity.github.io/trivy/ for installation instructions." +fi + +# Check for outdated packages +echo "πŸ“¦ Checking for outdated packages..." +OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l) +if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then + echo "⚠️ ${OUTDATED_PACKAGES} packages can be upgraded" + echo " Run 'apt update && apt upgrade' to update packages" +else + echo "βœ… All system packages are up to date" +fi + +# Check for unnecessary packages that increase attack surface +echo "πŸ›‘οΈ Checking for unnecessary packages..." +UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l) +if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then + echo "⚠️ Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface" + echo " Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind" +else + echo "βœ… No unnecessary packages found that increase attack surface" +fi + +# Check for world-writable files/directories +echo "πŸ“ Checking for world-writable files/directories..." +WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) +if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then + echo "⚠️ Found ${WORLD_WRITABLE} world-writable files/directories" + echo " These should be reviewed and permissions adjusted if necessary" +else + echo "βœ… No world-writable files/directories found" +fi + +# Check for setuid/setgid binaries +echo "πŸ”‘ Checking for setuid/setgid binaries..." +SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) +if [[ "${SETUID_BINARIES}" -gt 0 ]]; then + echo "⚠️ Found ${SETUID_BINARIES} setuid/setgid binaries" + echo " These should be reviewed for security implications" +else + echo "βœ… No setuid/setgid binaries found" +fi + +# Check for running services +echo "ァービ Checking for running services..." +RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l) +if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then + echo "⚠️ Found ${RUNNING_SERVICES} running processes" + echo " These should be reviewed for necessity" +else + echo "βœ… No unnecessary running services found" +fi + +# Check for listening ports +echo "πŸ“‘ Checking for listening ports..." +LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l) +if [[ "${LISTENING_PORTS}" -gt 0 ]]; then + echo "⚠️ Found ${LISTENING_PORTS} listening ports" + echo " These should be reviewed for security implications" +else + echo "βœ… No unnecessary listening ports found" +fi + +# Check for sudo availability +echo "πŸ›‘ Checking for sudo availability..." +if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then + echo "❌ Sudo is available in the image - this is a security risk" + echo " Sudo should be removed to prevent privilege escalation" +else + echo "βœ… Sudo is not available in the image" +fi + +# Check for root login capability +echo "πŸ” Checking for root login capability..." +ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l) +if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then + echo "⚠️ Root login might be enabled" + echo " Ensure root login is disabled for security" +else + echo "βœ… Root login is properly disabled" +fi + +# Check user configuration +echo "πŸ‘€ Checking user configuration..." +USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found") +if [[ "${USER_ID}" == "1000" ]]; then + echo "βœ… Non-root user 'toolbox' with UID 1000 is properly configured" +else + echo "⚠️ Non-root user configuration might be incorrect" +fi + +# Check for hardcoded passwords +echo "πŸ”‘ Checking for hardcoded passwords..." +HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l) +if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then + echo "⚠️ Found ${HARDCODED_PASSWORDS} potential hardcoded password references" + echo " These should be reviewed for security implications" +else + echo "βœ… No hardcoded password references found" +fi + +# Check for exposed secrets +echo " сСкр Checking for exposed secrets..." +EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l) +if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then + echo "⚠️ Found ${EXPOSED_SECRETS} potential secret files" + echo " These should be reviewed for security implications" +else + echo "βœ… No exposed secret files found" +fi + +# Summary +echo "" +echo "πŸ”’ Security Audit Summary:" +echo " - Image: ${IMAGE_NAME}" +echo " - Scan completed with recommendations above" +echo "" +echo "πŸ’‘ Recommendations:" +echo " 1. Install Trivy for comprehensive security scanning" +echo " 2. Regularly update packages to address vulnerabilities" +echo " 3. Remove unnecessary packages to reduce attack surface" +echo " 4. Review world-writable files/directories" +echo " 5. Review setuid/setgid binaries" +echo " 6. Remove sudo to prevent privilege escalation" +echo " 7. Ensure root login is disabled" +echo " 8. Verify non-root user configuration" +echo " 9. Review hardcoded password references" +echo " 10. Check for exposed secrets" \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-base/test.sh b/ToolboxStack/output/toolbox-base/test.sh old mode 100644 new mode 100755 diff --git a/ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md b/ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md new file mode 100644 index 0000000..3513885 --- /dev/null +++ b/ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md @@ -0,0 +1,120 @@ +# 🧰 Toolbox Template Audit Checklist + +This checklist ensures the toolbox-template provides a solid foundation for creating new toolboxes that extend from toolbox-base. + +## πŸ—οΈ Structure Audit + +- [ ] Template Dockerfile properly extends from toolbox-base:release-current +- [ ] Template Dockerfile follows best practices for extension +- [ ] Template docker-compose.yml properly inherits from base configuration +- [ ] Template build.sh script properly wraps docker build with UID/GID mapping +- [ ] Template run.sh script properly manages container lifecycle +- [ ] Template devcontainer.json properly references base configuration +- [ ] Template SEED file properly defines extension objectives +- [ ] Template PROMPT file properly guides contributors +- [ ] Template README.md properly documents usage and customization +- [ ] Template aqua.yaml properly extends from base tooling + +## πŸ”§ Consistency Audit + +- [ ] Template inherits all base security practices +- [ ] Template follows same build process patterns as base +- [ ] Template uses same user model as base (non-root with UID/GID mapping) +- [ ] Template workspace mounting consistent with base +- [ ] Template runtime behavior consistent with base +- [ ] Template error handling consistent with base +- [ ] Template documentation style consistent with base +- [ ] Template testing approach consistent with base +- [ ] Template customization points clearly defined +- [ ] Template extension patterns well-documented + +## πŸ›‘οΈ Security Audit + +- [ ] Template maintains all base security guarantees +- [ ] Template doesn't introduce security vulnerabilities +- [ ] Template doesn't weaken base security model +- [ ] Template properly validates user inputs +- [ ] Template properly handles file permissions +- [ ] Template doesn't expose additional attack surfaces +- [ ] Template properly manages secrets/configuration +- [ ] Template follows principle of least privilege +- [ ] Template properly isolates user processes +- [ ] Template maintains non-root execution model + +## πŸ§ͺ Testing Audit + +- [ ] Template includes testing framework +- [ ] Template tests verify proper extension from base +- [ ] Template tests validate added functionality +- [ ] Template tests check for regression issues +- [ ] Template tests cover error conditions +- [ ] Template tests verify security properties +- [ ] Template tests run automatically during build +- [ ] Template tests provide clear failure diagnostics +- [ ] Template tests cover all customization points +- [ ] Template tests align with base testing philosophy + +## πŸ“š Documentation Audit + +- [ ] Template README.md clearly explains purpose and usage +- [ ] Template README.md properly documents customization options +- [ ] Template README.md links to base documentation +- [ ] Template README.md includes quick start guide +- [ ] Template README.md covers troubleshooting +- [ ] Template README.md explains extension patterns +- [ ] Template README.md documents versioning strategy +- [ ] Template README.md covers maintenance procedures +- [ ] Template README.md explains collaboration guidelines +- [ ] Template README.md maintains consistent style with base + +## πŸ”„ Maintenance Audit + +- [ ] Template properly tracks base image updates +- [ ] Template provides clear upgrade paths +- [ ] Template maintains backward compatibility +- [ ] Template follows same release cadence as base +- [ ] Template properly handles dependency updates +- [ ] Template includes update automation where appropriate +- [ ] Template documents breaking changes +- [ ] Template provides migration guides when needed +- [ ] Template follows same versioning scheme as base +- [ ] Template maintains consistent issue tracking + +## 🎯 Usability Audit + +- [ ] Template is easy to copy and customize +- [ ] Template provides clear extension points +- [ ] Template includes helpful examples +- [ ] Template reduces boilerplate code +- [ ] Template provides sensible defaults +- [ ] Template includes proper error messages +- [ ] Template supports common customization patterns +- [ ] Template includes helpful documentation +- [ ] Template follows intuitive naming conventions +- [ ] Template minimizes configuration complexity + +## 🌐 Compatibility Audit + +- [ ] Template works with all supported platforms +- [ ] Template maintains cross-platform consistency +- [ ] Template integrates well with base tooling +- [ ] Template supports common development workflows +- [ ] Template handles various project structures +- [ ] Template works with popular IDEs/editors +- [ ] Template supports CI/CD integration +- [ ] Template compatible with common deployment methods +- [ ] Template supports popular version control systems +- [ ] Template integrates with common development tools + +## 🧹 Cleanliness Audit + +- [ ] Template includes no unnecessary files +- [ ] Template follows consistent file organization +- [ ] Template includes proper .gitignore +- [ ] Template avoids duplicating base functionality +- [ ] Template includes proper licensing information +- [ ] Template maintains clean directory structure +- [ ] Template includes appropriate comments/documentation +- [ ] Template avoids hardcoded values where possible +- [ ] Template follows consistent naming conventions +- [ ] Template includes proper attribution where needed \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-template/security-audit.sh b/ToolboxStack/output/toolbox-template/security-audit.sh new file mode 100755 index 0000000..3c036fa --- /dev/null +++ b/ToolboxStack/output/toolbox-template/security-audit.sh @@ -0,0 +1,155 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Security audit script for the toolbox-template + +IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" + +echo "πŸ”’ Running security audit on ${IMAGE_NAME}" + +# Check if Trivy is available for security scanning +if command -v trivy &> /dev/null; then + echo "πŸ” Running Trivy security scan..." + trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}" + echo "βœ… Trivy scan completed" +else + echo "⚠️ Trivy not found. Install Trivy to perform security scanning." + echo " Visit https://aquasecurity.github.io/trivy/ for installation instructions." +fi + +# Check for outdated packages +echo "πŸ“¦ Checking for outdated packages..." +OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l) +if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then + echo "⚠️ ${OUTDATED_PACKAGES} packages can be upgraded" + echo " Run 'apt update && apt upgrade' to update packages" +else + echo "βœ… All system packages are up to date" +fi + +# Check for unnecessary packages that increase attack surface +echo "πŸ›‘οΈ Checking for unnecessary packages..." +UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l) +if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then + echo "⚠️ Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface" + echo " Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind" +else + echo "βœ… No unnecessary packages found that increase attack surface" +fi + +# Check for world-writable files/directories +echo "πŸ“ Checking for world-writable files/directories..." +WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) +if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then + echo "⚠️ Found ${WORLD_WRITABLE} world-writable files/directories" + echo " These should be reviewed and permissions adjusted if necessary" +else + echo "βœ… No world-writable files/directories found" +fi + +# Check for setuid/setgid binaries +echo "πŸ”‘ Checking for setuid/setgid binaries..." +SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) +if [[ "${SETUID_BINARIES}" -gt 0 ]]; then + echo "⚠️ Found ${SETUID_BINARIES} setuid/setgid binaries" + echo " These should be reviewed for security implications" +else + echo "βœ… No setuid/setgid binaries found" +fi + +# Check for running services +echo "ァービ Checking for running services..." +RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l) +if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then + echo "⚠️ Found ${RUNNING_SERVICES} running processes" + echo " These should be reviewed for necessity" +else + echo "βœ… No unnecessary running services found" +fi + +# Check for listening ports +echo "πŸ“‘ Checking for listening ports..." +LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l) +if [[ "${LISTENING_PORTS}" -gt 0 ]]; then + echo "⚠️ Found ${LISTENING_PORTS} listening ports" + echo " These should be reviewed for security implications" +else + echo "βœ… No unnecessary listening ports found" +fi + +# Check for sudo availability +echo "πŸ›‘ Checking for sudo availability..." +if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then + echo "❌ Sudo is available in the image - this is a security risk" + echo " Sudo should be removed to prevent privilege escalation" +else + echo "βœ… Sudo is not available in the image" +fi + +# Check for root login capability +echo "πŸ” Checking for root login capability..." +ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l) +if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then + echo "⚠️ Root login might be enabled" + echo " Ensure root login is disabled for security" +else + echo "βœ… Root login is properly disabled" +fi + +# Check user configuration +echo "πŸ‘€ Checking user configuration..." +USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found") +if [[ "${USER_ID}" == "1000" ]]; then + echo "βœ… Non-root user 'toolbox' with UID 1000 is properly configured" +else + echo "⚠️ Non-root user configuration might be incorrect" +fi + +# Check for hardcoded passwords +echo "πŸ”‘ Checking for hardcoded passwords..." +HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l) +if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then + echo "⚠️ Found ${HARDCODED_PASSWORDS} potential hardcoded password references" + echo " These should be reviewed for security implications" +else + echo "βœ… No hardcoded password references found" +fi + +# Check for exposed secrets +echo " сСкр Checking for exposed secrets..." +EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l) +if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then + echo "⚠️ Found ${EXPOSED_SECRETS} potential secret files" + echo " These should be reviewed for security implications" +else + echo "βœ… No exposed secret files found" +fi + +# Check that this template properly extends from the base image +echo "πŸ”— Checking inheritance from base image..." +BASE_INHERITANCE=$(docker history "${IMAGE_NAME}" 2>/dev/null | grep "FROM tsysdevstack-toolboxstack-toolbox-base:release-current" | wc -l) +if [[ "${BASE_INHERITANCE}" -gt 0 ]]; then + echo "βœ… Template properly extends from toolbox-base:release-current" +else + echo "⚠️ Template might not properly extend from toolbox-base:release-current" +fi + +# Summary +echo "" +echo "πŸ”’ Security Audit Summary:" +echo " - Image: ${IMAGE_NAME}" +echo " - Scan completed with recommendations above" +echo "" +echo "πŸ’‘ Recommendations:" +echo " 1. Install Trivy for comprehensive security scanning" +echo " 2. Regularly update packages to address vulnerabilities" +echo " 3. Remove unnecessary packages to reduce attack surface" +echo " 4. Review world-writable files/directories" +echo " 5. Review setuid/setgid binaries" +echo " 6. Remove sudo to prevent privilege escalation" +echo " 7. Ensure root login is disabled" +echo " 8. Verify non-root user configuration" +echo " 9. Review hardcoded password references" +echo " 10. Check for exposed secrets" +echo " 11. Ensure proper inheritance from base image" \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-template/test.sh b/ToolboxStack/output/toolbox-template/test.sh new file mode 100755 index 0000000..605e3ea --- /dev/null +++ b/ToolboxStack/output/toolbox-template/test.sh @@ -0,0 +1,112 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Test script to verify all tools are working properly in the toolbox-template + +IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" + +echo "πŸ§ͺ Testing all tools in ${IMAGE_NAME}" + +# Function to test a command +test_cmd() { + local cmd="$1" + local description="$2" + + echo -n "Testing ${cmd} (${description})... " + + if docker run --rm "${IMAGE_NAME}" "${cmd}" --version >/dev/null 2>&1; then + echo "βœ… PASS" + return 0 + else + echo "❌ FAIL" + return 1 + fi +} + +# Function to test a command with specific args +test_cmd_args() { + local cmd="$1" + local args="$2" + local description="$3" + + echo -n "Testing ${cmd} ${args} (${description})... " + + if docker run --rm "${IMAGE_NAME}" "${cmd}" ${args} >/dev/null 2>&1; then + echo "βœ… PASS" + return 0 + else + echo "❌ FAIL" + return 1 + fi +} + +# Counter for tracking results +PASSED=0 +FAILED=0 + +# Test core tools inherited from base +echo "πŸ” Testing core tools inherited from base..." + +test_cmd "zsh" "Z shell" && ((PASSED++)) || ((FAILED++)) +test_cmd "git" "Git version control" && ((PASSED++)) || ((FAILED++)) +test_cmd "curl" "cURL utility" && ((PASSED++)) || ((FAILED++)) +test_cmd "jq" "JSON processor" && ((PASSED++)) || ((FAILED++)) +test_cmd "fish" "Fish shell" && ((PASSED++)) || ((FAILED++)) +test_cmd "fzf" "Fuzzy finder" && ((PASSED++)) || ((FAILED++)) +test_cmd "bat" "Cat clone with wings" && ((PASSED++)) || ((FAILED++)) +test_cmd "fd" "Simple, fast alternative to find" && ((PASSED++)) || ((FAILED++)) +test_cmd "rg" "Ripgrep - line-oriented search tool" && ((PASSED++)) || ((FAILED++)) +test_cmd "htop" "Interactive process viewer" && ((PASSED++)) || ((FAILED++)) +test_cmd "btop" "Modern and colorful terminal monitor" && ((PASSED++)) || ((FAILED++)) + +# Test aqua installed tools inherited from base +echo "πŸ”§ Testing aqua installed tools inherited from base..." + +test_cmd "gh" "GitHub CLI" && ((PASSED++)) || ((FAILED++)) +test_cmd "lazygit" "Simple terminal UI for git commands" && ((PASSED++)) || ((FAILED++)) +test_cmd "direnv" "Unclutter your .profile" && ((PASSED++)) || ((FAILED++)) +test_cmd "delta" "Syntax-highlighting pager for git, diff, and grep output" && ((PASSED++)) || ((FAILED++)) +test_cmd "zoxide" "Smarter cd command" && ((PASSED++)) || ((FAILED++)) +test_cmd "just" "Just a command runner" && ((PASSED++)) || ((FAILED++)) +test_cmd "yq" "Portable command-line YAML processor" && ((PASSED++)) || ((FAILED++)) +test_cmd "xh" "Friendly and fast tool for sending HTTP requests" && ((PASSED++)) || ((FAILED++)) +test_cmd "curlie" "The power of curl, the ease of use of httpie" && ((PASSED++)) || ((FAILED++)) +test_cmd "chezmoi" "Manage your dotfiles across multiple machines" && ((PASSED++)) || ((FAILED++)) +test_cmd "shfmt" "Shell formatter" && ((PASSED++)) || ((FAILED++)) +test_cmd "shellcheck" "Shell script analysis tool" && ((PASSED++)) || ((FAILED++)) +test_cmd "hadolint" "Dockerfile linter" && ((PASSED++)) || ((FAILED++)) +test_cmd "uv" "Python package installer and resolver" && ((PASSED++)) || ((FAILED++)) +test_cmd "watchexec" "Execute commands in response to file modifications" && ((PASSED++)) || ((FAILED++)) +test_cmd "tea" "Gitea CLI" && ((PASSED++)) || ((FAILED++)) + +# Test AI CLI tools inherited from base +echo "πŸ€– Testing AI CLI tools inherited from base..." + +test_cmd_args "code" "--version" "just-every/code AI CLI" && ((PASSED++)) || ((FAILED++)) +test_cmd_args "qwen" "--version" "QwenLM/qwen-code AI CLI" && ((PASSED++)) || ((FAILED++)) +test_cmd_args "gemini" "--version" "google-gemini/gemini-cli AI CLI" && ((PASSED++)) || ((FAILED++)) +test_cmd_args "codex" "--version" "openai/codex AI CLI" && ((PASSED++)) || ((FAILED++)) +test_cmd_args "opencode" "--version" "sst/opencode AI CLI" && ((PASSED++)) || ((FAILED++)) + +# Test additional tools inherited from base +echo "🧰 Testing additional tools inherited from base..." + +test_cmd "starship" "Cross-shell prompt" && ((PASSED++)) || ((FAILED++)) +test_cmd "mise" "Polyglot runtime manager" && ((PASSED++)) || ((FAILED++)) +test_cmd_args "aqua" "--version" "Declarative CLI Version Manager" && ((PASSED++)) || ((FAILED++)) + +# Summary +echo "" +echo "πŸ“Š Test Results:" +echo " Passed: ${PASSED}" +echo " Failed: ${FAILED}" +echo " Total: $((PASSED + FAILED))" + +if [[ "${FAILED}" -eq 0 ]]; then + echo "πŸŽ‰ All tests passed!" + exit 0 +else + echo "πŸ’₯ ${FAILED} tests failed!" + exit 1 +fi \ No newline at end of file