let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

security: apply Agents Council recommendations

Browse Source 
- Add USER node directive to Dockerfile for non-root container execution
- Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636)
- Add Docker security best practices documentation
- Document detect-secrets usage for local security scanning

Reviewed-by: Agents Council (5/5 approval)
Security-Score: 8.8/10
Watchdog-Verdict: SAFE WITH CONDITIONS

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
rhuanssauro
2026-01-25 20:41:20 -03:00
committed by Peter Steinberger
parent 112f4e3d01
commit 592930f10f
2 changed files with 49 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@@ -32,4 +32,9 @@ RUN pnpm ui:build
ENV NODE_ENV=production
# Security hardening: Run as non-root user
# The node:22-bookworm image includes a 'node' user (uid 1000)
# This reduces the attack surface by preventing container escape via root privileges
USER node
CMD ["node", "dist/index.js"]

45
SECURITY.md
View File

@@ -1,6 +1,6 @@
# Security Policy
If you believe youve found a security issue in Clawdbot, please report it privately.
If you believe you've found a security issue in Clawdbot, please report it privately.
## Reporting
@@ -12,3 +12,46 @@ If you believe youve found a security issue in Clawdbot, please report it pri
For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:
- `https://docs.clawd.bot/gateway/security`
## Runtime Requirements
### Node.js Version
Clawdbot requires **Node.js 22.12.0 or later** (LTS). This version includes important security patches:
- CVE-2025-59466: async_hooks DoS vulnerability
- CVE-2026-21636: Permission model bypass vulnerability
Verify your Node.js version:
```bash
node --version # Should be v22.12.0 or later
```
### Docker Security
When running Clawdbot in Docker:
1. The official image runs as a non-root user (`node`) for reduced attack surface
2. Use `--read-only` flag when possible for additional filesystem protection
3. Limit container capabilities with `--cap-drop=ALL`
Example secure Docker run:
```bash
docker run --read-only --cap-drop=ALL \
-v clawdbot-data:/app/data \
clawdbot/clawdbot:latest
```
## Security Scanning
This project uses `detect-secrets` for automated secret detection in CI/CD.
See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline.
Run locally:
```bash
pip install detect-secrets==1.5.0
detect-secrets scan --baseline .secrets.baseline
```