chore: add Trivy security scanning and fix non-root container users

Add `make trivy-scan` (filesystem + image) via dockerized Trivy.
Fix DS-0002 (HIGH): run evm, testapp, and local-da containers as
non-root `ev-node` user, consistent with the grpc Dockerfile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tac0turtle

Makefile

@@ -3,6 +3,7 @@ include ./scripts/test.mk
 include ./scripts/proto.mk
 include ./scripts/utils.mk
 include ./scripts/run.mk
+include ./scripts/security.mk
 include ./tools/tools.mk
 
 # Sets the default make target to `build`.

apps/evm/Dockerfile

@@ -17,10 +17,16 @@ FROM alpine:3.22.2
 #hadolint ignore=DL3018
 RUN apk --no-cache add ca-certificates curl
 
-WORKDIR /root
+RUN addgroup -g 1000 ev-node && \
+    adduser -u 1000 -G ev-node -s /bin/sh -D ev-node
+
+WORKDIR /home/ev-node
 
 COPY --from=build-env /src/apps/evm/evm /usr/bin/evm
 COPY apps/evm/entrypoint.sh /usr/bin/entrypoint.sh
-RUN chmod +x /usr/bin/entrypoint.sh
+RUN chmod +x /usr/bin/entrypoint.sh && \
+    chown -R ev-node:ev-node /home/ev-node
+
+USER ev-node
 
 ENTRYPOINT ["/usr/bin/entrypoint.sh"]

apps/testapp/Dockerfile

@@ -27,8 +27,14 @@ RUN go mod download && make install
 #
 FROM base
 
+RUN groupadd -g 1000 ev-node && \
+    useradd -u 1000 -g ev-node -s /bin/sh -m ev-node
+
 COPY --from=builder /go/bin/testapp /usr/bin
 
-WORKDIR /apps
+WORKDIR /home/ev-node
+RUN chown -R ev-node:ev-node /home/ev-node
+
+USER ev-node
 
 ENTRYPOINT ["testapp"]

scripts/security.mk

@@ -0,0 +1,43 @@
+# security.mk - Security scanning with Trivy (https://trivy.dev)
+
+TRIVY_IMAGE := aquasec/trivy:latest
+TRIVY_SEVERITY ?= CRITICAL,HIGH
+TRIVY_CACHE_VOLUME := trivy-cache
+
+# Docker images to scan (space-separated, override or extend as needed)
+SCAN_IMAGES ?= evstack:local-dev
+
+# Common docker run args for Trivy
+TRIVY_RUN := docker run --rm \
+	-v $(TRIVY_CACHE_VOLUME):/root/.cache/ \
+	-e TRIVY_SEVERITY=$(TRIVY_SEVERITY)
+
+## trivy-scan: Run all Trivy security scans (filesystem + Docker images)
+trivy-scan: trivy-scan-fs trivy-scan-image
+.PHONY: trivy-scan
+
+## trivy-scan-fs: Scan repo for dependency vulnerabilities, misconfigs, and secrets
+trivy-scan-fs:
+	@echo "--> Scanning repository filesystem with Trivy"
+	@$(TRIVY_RUN) \
+		-v $(CURDIR):/workspace \
+		$(TRIVY_IMAGE) \
+		fs --scanners vuln,misconfig,secret \
+		--severity $(TRIVY_SEVERITY) \
+		/workspace
+	@echo "--> Filesystem scan complete"
+.PHONY: trivy-scan-fs
+
+## trivy-scan-image: Scan built Docker images for vulnerabilities
+trivy-scan-image:
+	@echo "--> Scanning Docker images with Trivy"
+	@for img in $(SCAN_IMAGES); do \
+		echo "--> Scanning image: $$img"; \
+		$(TRIVY_RUN) \
+			-v /var/run/docker.sock:/var/run/docker.sock \
+			$(TRIVY_IMAGE) \
+			image --severity $(TRIVY_SEVERITY) \
+			$$img; \
+	done
+	@echo "--> Image scan complete"
+.PHONY: trivy-scan-image

tools/local-da/Dockerfile

@@ -19,9 +19,15 @@ FROM alpine:3.22.2
 #hadolint ignore=DL3018
 RUN apk --no-cache add ca-certificates curl
 
-WORKDIR /root
+RUN addgroup -g 1000 ev-node && \
+    adduser -u 1000 -G ev-node -s /bin/sh -D ev-node
+
+WORKDIR /home/ev-node
+RUN chown -R ev-node:ev-node /home/ev-node
 
 COPY --from=build-env /src/build/local-da /usr/bin/local-da
 
+USER ev-node
+
 ENTRYPOINT ["/usr/bin/local-da"]
 CMD ["-listen-all"]