security: apply Agents Council recommendations

- Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-25 20:41:20 -03:00
parent 112f4e3d01
commit 592930f10f
2 changed files with 49 additions and 1 deletions
--- a/5
+++ b/5
@@ -32,4 +32,9 @@ RUN pnpm ui:build

 ENV NODE_ENV=production

+# Security hardening: Run as non-root user
+# The node:22-bookworm image includes a 'node' user (uid 1000)
+# This reduces the attack surface by preventing container escape via root privileges
+USER node
+
 CMD ["node", "dist/index.js"]
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,6 +1,6 @@
 # Security Policy

-If you believe you’ve found a security issue in Clawdbot, please report it privately.
+If you believe you've found a security issue in Clawdbot, please report it privately.

 ## Reporting

@@ -12,3 +12,46 @@ If you believe you’ve found a security issue in Clawdbot, please report it pri
 For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:

 - `https://docs.clawd.bot/gateway/security`
+
+## Runtime Requirements
+
+### Node.js Version
+
+Clawdbot requires **Node.js 22.12.0 or later** (LTS). This version includes important security patches:
+
+- CVE-2025-59466: async_hooks DoS vulnerability
+- CVE-2026-21636: Permission model bypass vulnerability
+
+Verify your Node.js version:
+
+```bash
+node --version  # Should be v22.12.0 or later
+```
+
+### Docker Security
+
+When running Clawdbot in Docker:
+
+1. The official image runs as a non-root user (`node`) for reduced attack surface
+2. Use `--read-only` flag when possible for additional filesystem protection
+3. Limit container capabilities with `--cap-drop=ALL`
+
+Example secure Docker run:
+
+```bash
+docker run --read-only --cap-drop=ALL \
+  -v clawdbot-data:/app/data \
+  clawdbot/clawdbot:latest
+```
+
+## Security Scanning
+
+This project uses `detect-secrets` for automated secret detection in CI/CD.
+See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline.
+
+Run locally:
+
+```bash
+pip install detect-secrets==1.5.0
+detect-secrets scan --baseline .secrets.baseline
+```