Release Date: 2025-12-14 Type: Security Hardening Release
This release focuses on comprehensive security hardening for the CyberChef MCP Server Docker container. Key improvements include non-root user execution, automated vulnerability scanning with Trivy, SBOM (Software Bill of Materials) generation, and read-only filesystem support.
The container now runs as a dedicated non-root user instead of root:
- User:
cyberchef(UID 1001) - Group:
cyberchef(GID 1001)
# Verify non-root execution
docker run --rm cyberchef-mcp id
# Output: uid=1001(cyberchef) gid=1001(cyberchef)Security Benefits:
- Prevents privilege escalation attacks
- Limits damage from container escape vulnerabilities
- Follows container security best practices
Integrated Trivy for comprehensive security scanning:
- Every push to master triggers vulnerability scan
- Every pull request is scanned
- Results uploaded to GitHub Security tab (SARIF format)
- Non-root execution verification in CI
- Final image scanned before publication to GHCR
- Scan results attached to release
- SBOM generated and attached
- Weekly scans (Sundays at midnight UTC)
- Catches newly discovered CVEs
- Manual trigger available via
workflow_dispatch
Software Bill of Materials generated for each release:
- Format: CycloneDX JSON
- Coverage: OS packages and npm dependencies
- Attachment: Automatically attached to GitHub releases
- Use Case: Supply chain transparency, compliance, dependency tracking
# Download SBOM from release
wget https://github.com/doublegate/CyberChef-MCP/releases/download/v1.2.0/sbom.cyclonedx.jsonContainer now supports running with a read-only root filesystem:
# Run with read-only filesystem
docker run -i --rm --read-only --tmpfs /tmp:size=100M cyberchef-mcpSecurity Benefits:
- Prevents runtime modifications to container filesystem
- Immutable deployment configuration
- Reduced attack surface
For maximum security, use all available options:
docker run -i --rm \
--read-only \
--tmpfs /tmp:size=100M \
--cap-drop=ALL \
--security-opt=no-new-privileges \
cyberchef-mcp# Security highlights from updated Dockerfile
# Non-root user creation
RUN addgroup -g 1001 -S cyberchef && \
adduser -u 1001 -S cyberchef -G cyberchef
# Attack surface reduction
RUN rm -rf .git .github tests docs *.md ...
# Ownership and user switch
RUN chown -R cyberchef:cyberchef /app
USER cyberchef
# Health check for orchestration
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD node -e "process.exit(0)" || exit 1Added standard OCI labels for metadata:
org.opencontainers.image.titleorg.opencontainers.image.descriptionorg.opencontainers.image.vendororg.opencontainers.image.licensesorg.opencontainers.image.sourceorg.opencontainers.image.documentation
Removed from production image:
.gitdirectory.githubdirectorytestsdirectorydocsdirectory*.mdfiles (README, CHANGELOG, etc.)- Build configuration files (Gruntfile.js, babel.config.js, etc.)
name: Security Scan
on:
push: [master]
pull_request: [master]
schedule: [{cron: '0 0 * * 0'}] # Weekly
workflow_dispatch:
jobs:
trivy-scan: # Container vulnerability scan
dependency-scan: # npm audit + Trivy filesystem
sbom-generation: # CycloneDX SBOM- Added Trivy vulnerability scanning
- Added non-root execution verification
- Results uploaded to GitHub Security tab
- Added SBOM generation with Trivy
- Added vulnerability scan on release image
- SBOM attached to GitHub release
Comprehensive security policy including:
- Supported versions table
- Vulnerability reporting procedures
- Security measures documentation
- Secure deployment guidelines
- Docker Hardened Images (DHI) information
- Added security scan badge
- Updated security section with v1.2.0 features
- Added Security Scan workflow to CI/CD section
- Updated version references
- New "Security Best Practices" section
- Non-root execution verification
- Read-only filesystem instructions
- Recommended security options
- Vulnerability scanning information
Docker Hardened Images for Node.js 22 are available via Docker Hub subscription. While this open-source project uses node:22-alpine with manual hardening for compatibility, enterprise deployments may consider DHI for additional security benefits:
- Up to 95% vulnerability reduction
- FIPS-ready variants
- Automated CVE patching
See Docker DHI Documentation for more information.
-
Pull the latest image:
docker pull ghcr.io/doublegate/cyberchef-mcp_v1:latest
-
Verify non-root execution:
docker run --rm cyberchef-mcp id # Expected: uid=1001(cyberchef) gid=1001(cyberchef) -
Update client configurations if using specific version tags:
- Replace
v1.1.0withv1.2.0in config files
- Replace
-
No protocol changes: MCP interface unchanged
-
Update local builds:
git pull origin master docker build -f Dockerfile.mcp -t cyberchef-mcp . -
Test non-root execution:
docker run --rm cyberchef-mcp id
-
Review security scan results in GitHub Security tab
None. This release maintains full backward compatibility with v1.1.0.
Some development dependencies have known vulnerabilities that do not affect the production MCP server runtime:
babel-traverse@6.26.0- Development build onlyshelljs@0.8.1- Build artifact permissions only
Production MCP server runtime risk: Low
.github/workflows/security-scan.yml
Dockerfile.mcp- Complete security hardening.github/workflows/mcp-docker-build.yml- Added Trivy + non-root verification.github/workflows/mcp-release.yml- Added SBOM generationSECURITY.md- Comprehensive security policyREADME.md- Security badge and documentationdocs/user_guide.md- Security best practicessrc/node/mcp-server.mjs- Version bump to 1.2.0package.json- mcpVersion bump to 1.2.0CHANGELOG.md- v1.2.0 release notes
- DoubleGate (@doublegate)
- Claude Opus 4.5 (AI pair programming assistant)
- Release Tag: v1.2.0
- Docker Image: ghcr.io/doublegate/cyberchef-mcp_v1:v1.2.0
- Security Policy: SECURITY.md
- Changelog: CHANGELOG.md
- Previous Release: v1.1.0
Full Changelog: v1.1.0...v1.2.0