🛡️ security: Implement full container audit and signed images guide

- Added security/audit-all-containers.sh: Automated Trivy scan for all 60+ project images - Added security/hardening/signed-images.md: Guide for Docker Content Trust (DCT) - Updated NODE1 with audit script and started background scan - Results will be saved to /opt/microdao-daarion/logs/audits/ Co-authored-by: Cursor Agent <agent@cursor.sh>
2026-01-09 12:16:30 -08:00
parent 778907cf0e
commit f6a2007c77
2 changed files with 163 additions and 0 deletions
--- a/security/audit-all-containers.sh
+++ b/security/audit-all-containers.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+# ============================================
+# Full Container Security Audit — DAARION
+# Version: 1.0.0
+# Created: 2026-01-09
+# Purpose: Scan all project images for vulnerabilities
+# ============================================
+
+set -e
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+LOG_DIR="/opt/microdao-daarion/logs/audits"
+mkdir -p "$LOG_DIR"
+REPORT_FILE="${LOG_DIR}/audit-$(date +%Y%m%d-%H%M%S).md"
+
+echo -e "${BLUE}============================================${NC}"
+echo -e "${BLUE}  DAARION Full Container Security Audit${NC}"
+echo -e "${BLUE}============================================${NC}"
+echo ""
+
+# Check Trivy
+if ! command -v trivy &> /dev/null; then
+    echo -e "${YELLOW}Installing Trivy...${NC}"
+    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+fi
+
+# Get all images from all docker-compose files
+IMAGES=$(find . -name 'docker-compose*.yml' -exec docker compose -f {} config --images 2>/dev/null \; | sort -u)
+
+echo -e "Found ${YELLOW}$(echo "$IMAGES" | wc -l)${NC} unique images to scan."
+echo "" > "$REPORT_FILE"
+echo "# Security Audit Report - $(date)" >> "$REPORT_FILE"
+echo "" >> "$REPORT_FILE"
+echo "| Image | Critical | High | Status |" >> "$REPORT_FILE"
+echo "|-------|----------|------|--------|" >> "$REPORT_FILE"
+
+for IMAGE in $IMAGES; do
+    echo -ne "Scanning ${BLUE}${IMAGE}${NC}... "
+    
+    # Run scan
+    SCAN_RESULT=$(trivy image --severity CRITICAL,HIGH --format json "$IMAGE" 2>/dev/null)
+    
+    if [ $? -ne 0 ]; then
+        echo -e "${RED}FAILED${NC}"
+        echo "| $IMAGE | ERR | ERR | ❌ Scan Failed |" >> "$REPORT_FILE"
+        continue
+    fi
+    
+    CRITICAL=$(echo "$SCAN_RESULT" | grep -o '"Severity":"CRITICAL"' | wc -l)
+    HIGH=$(echo "$SCAN_RESULT" | grep -o '"Severity":"HIGH"' | wc -l)
+    
+    if [ "$CRITICAL" -gt 0 ]; then
+        STATUS="🔴 CRITICAL"
+    elif [ "$HIGH" -gt 0 ]; then
+        STATUS="🟡 HIGH"
+    else
+        STATUS="✅ CLEAN"
+    fi
+    
+    echo -e "${STATUS} (C:${CRITICAL}, H:${HIGH})"
+    echo "| $IMAGE | $CRITICAL | $HIGH | $STATUS |" >> "$REPORT_FILE"
+done
+
+echo ""
+echo -e "${GREEN}Audit completed!${NC}"
+echo -e "Report saved to: ${REPORT_FILE}"
+echo ""
+echo -e "${YELLOW}Top Recommendations:${NC}"
+echo "1. Update base images for services with CRITICAL vulnerabilities."
+echo "2. Rebuild local images with --no-cache."
+echo "3. Use specific versions instead of :latest."