-
Notifications
You must be signed in to change notification settings - Fork 33
Expand file tree
/
Copy pathdevcontainer.json
More file actions
124 lines (102 loc) · 5.87 KB
/
devcontainer.json
File metadata and controls
124 lines (102 loc) · 5.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
{
// For format details, see https://aka.ms/devcontainer.json.
// This is the HARDENED version of TRG's DevContainer - provides enhanced security
// with capability dropping, security options, and resource limits while maintaining
// network connectivity for development.
"name": "Hardened TRG's DevContainer",
// Build configuration - uses the local Dockerfile in this directory
"build": {
"dockerfile": "Dockerfile"
},
// Use vscode user for security (non-root execution)
"remoteUser": "vscode",
// Features to add to the dev container. More info: https://containers.dev/features.
// Git and GitHub CLI features for version control and GitHub integration
"features": {
"ghcr.io/devcontainers/features/git:1": {},
"ghcr.io/devcontainers/features/github-cli:1": {}
},
// Container environment variables
"containerEnv": {
"SHELL": "/bin/zsh", // Use zsh as the default shell
"DEVCONTAINER_ID_LABEL": "hardened-web3-devcontainer" // Label for container identification
},
// Configure tool-specific properties for VS Code
"customizations": {
"vscode": {
// Web3 security and development extensions
"extensions": [
"tintinweb.ethereum-security-bundle", // Comprehensive Ethereum security tools
"tintinweb.vscode-ethover", // Ethereum hover information
"trailofbits.weaudit", // Trail of Bits audit tools
"tintinweb.vscode-inline-bookmarks", // Inline code bookmarks
"tintinweb.vscode-solidity-language", // Solidity language support
"tintinweb.graphviz-interactive-preview", // Graph visualization
"trailofbits.contract-explorer", // Smart contract exploration
"tintinweb.vscode-decompiler" // Contract decompilation
],
// VS Code settings for security and functionality
"settings": {
// Security settings - killswitch for automated tasks
"task.autoDetect": "off", // Disable automatic task detection
"task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers
// Trust and security configuration
"security.workspace.trust.enabled": false, // Trust no one by default
// Privacy settings - killswitch for telemetry
"telemetry.telemetryLevel": "off", // Disable all telemetry collection
// Terminal configuration
"terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default
"terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } }
// Using bash might be more safe and stable, but zsh provides better features
},
}
},
// Commands to run during container lifecycle
"initializeCommand": "echo 'Initializing hardened dev container...'",
"postStartCommand": "echo '🚀 Dev container is ready for Web3 development!'",
// Mount hardening configuration for security and development workflow
// If you need to extract something from within the container, you can use docker cp, but use it at your own risk.
// If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
// Disables mounting the host workspace into the container for hardening.
"workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777",
"workspaceFolder": "/workspace",
// Docker run arguments for security hardening and resource management
"runArgs": [
// Temporary filesystem mounts with security restrictions
// These provide hardened, size-limited temporary storage
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory
"--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory
"--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory
// Security hardening - drop all Linux capabilities
// This reduces the attack surface by removing unnecessary privileges
"--cap-drop=ALL",
// Security options for container hardening
// A few security additions (AppArmor & no new privileges)
"--security-opt", "no-new-privileges", // Prevent privilege escalation
"--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile
// Use seccomp's default security profile
// seccomp provides system call filtering for additional security
// "--security-opt", "seccomp=default",
// Network security configuration
// If you really want to isolate it, just disconnect it from the internet.
// You should COPY your working files inside before, otherwise you'll have to mount them manually.
// "--network=none",
// IPv6 security - disable IPv6 to reduce attack surface
"--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 globally
"--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default
// Network capability restrictions
"--cap-drop=NET_RAW", // Disable raw packet access
"--network=bridge", // Use bridge networking
// DNS configuration for security and reliability
"--dns=1.1.1.1", // Primary DNS (Cloudflare)
"--dns=1.0.0.1", // Secondary DNS (Cloudflare)
// Resource limits for container performance and security
// Play a little bit with resources to prevent resource exhaustion
// "--memory=512m", // Memory limit (commented out)
// "--cpus=2" // CPU limit (commented out)
],
// Writable mounts in case you want to set --read-only above.
// Currently no additional mounts are configured
"mounts": [
]
}