playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(dockerfile): purge npm cache in same layer as installs to prevent secret leakage
All checks were successful
Build images / check-docker (push) Successful in 0s
Details
Build images / scan (push) Successful in 2m43s
Details
Build images / build-and-push (push) Successful in 9m53s
Details

Browse source 
Consolidate MCP install, CVE patches, .npmrc scrub, and npm cache clean
into a single RUN so the download cache (which contains package tarballs
with example GitHub tokens) is never committed to a layer.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
docker-claude 2026-04-20 23:32:26 +02:00
parent e8d134f5a9
commit 94333e4d32
1 changed files with 35 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

73
claude/Dockerfile
View file

@ -39,57 +39,54 @@ COPY settings.json /etc/claude-code/managed-settings.json
# Install Claude Code stable release # Install Claude Code stable release
RUN curl -fsSL https://claude.ai/install.sh | bash -s stable RUN curl -fsSL https://claude.ai/install.sh | bash -s stable
# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/ # Install MCP servers, patch transitive CVEs, scrub credentials and cache — all in one
RUN npm install -g \ # layer so nothing is committed to the image between install and cleanup.
@modelcontextprotocol/server-github \ #
@yoda.digital/gitlab-mcp-server \ # CVEs patched:
@aashari/mcp-server-atlassian-jira \
@aashari/mcp-server-atlassian-confluence
# Patch transitive CVEs bundled inside MCP server node_modules:
# CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2 # CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2
# GHSA-345p-7cg4-v4c7 — @modelcontextprotocol/sdk <1.26.0 # GHSA-345p-7cg4-v4c7 — @modelcontextprotocol/sdk <1.26.0
# CVE-2026-33671 — picomatch <4.0.4 (also covers npm bundled copy above) # CVE-2026-33671 — picomatch <4.0.4
# GHSA-f886-m6hf-6m8v — brace-expansion <5.0.5 # GHSA-f886-m6hf-6m8v — brace-expansion <5.0.5
RUN for pkg_dir in \ RUN npm install -g \
/usr/local/lib/node_modules/@modelcontextprotocol/server-github \ @modelcontextprotocol/server-github \
/usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \ @yoda.digital/gitlab-mcp-server \
/usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \ @aashari/mcp-server-atlassian-jira \
/usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \ @aashari/mcp-server-atlassian-confluence \
[ -d "$pkg_dir" ] && \ && for pkg_dir in \
cd "$pkg_dir" && \ /usr/local/lib/node_modules/@modelcontextprotocol/server-github \
npm install --no-audit --no-fund \ /usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \
@modelcontextprotocol/sdk@1.26.0 \ /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \
picomatch@4.0.4 \ /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \
brace-expansion@5.0.5 \ [ -d "$pkg_dir" ] && \
|| true; \ cd "$pkg_dir" && \
done \ npm install --no-audit --no-fund \
@modelcontextprotocol/sdk@1.26.0 \
picomatch@4.0.4 \
brace-expansion@5.0.5 \
|| true; \
done \
&& find /usr/local/lib/node_modules -name "picomatch" -type d | while read dir; do \ && find /usr/local/lib/node_modules -name "picomatch" -type d | while read dir; do \
ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \ ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \
[ "$ver" = "4.0.3" ] || continue; \ [ "$ver" = "4.0.3" ] || continue; \
prefix=$(dirname "$(dirname "$dir")"); \ prefix=$(dirname "$(dirname "$dir")"); \
npm install --prefix "$prefix" picomatch@4.0.4 \ npm install --prefix "$prefix" picomatch@4.0.4 \
--no-save --no-audit --no-fund 2>/dev/null || true; \ --no-save --no-audit --no-fund 2>/dev/null || true; \
done \ done \
&& cd /tmp \ && cd /tmp \
&& npm pack brace-expansion@5.0.5 --no-audit 2>/dev/null \ && npm pack brace-expansion@5.0.5 --no-audit 2>/dev/null \
&& tar xzf brace-expansion-5.0.5.tgz \ && tar xzf brace-expansion-5.0.5.tgz \
&& find /usr/local/lib/node_modules -name "package.json" -path "*/brace-expansion/package.json" \ && find /usr/local/lib/node_modules -name "package.json" -path "*/brace-expansion/package.json" \
| xargs grep -l '"version": "5.0.4"' 2>/dev/null \ | xargs grep -l '"version": "5.0.4"' 2>/dev/null \
| while read pj; do \ | while read pj; do \
echo "Patching brace-expansion at $(dirname "$pj")"; \
cp -r /tmp/package/. "$(dirname "$pj")/"; \ cp -r /tmp/package/. "$(dirname "$pj")/"; \
done \ done \
&& rm -rf /tmp/brace-expansion-5.0.5.tgz /tmp/package && rm -rf /tmp/brace-expansion-5.0.5.tgz /tmp/package \
&& find /root /home /usr/local/etc -name ".npmrc" -o -name "npmrc" \
# Remove any npm auth credentials written during install. | xargs grep -l "_authToken\|_auth\b" 2>/dev/null \
# npm automatically picks up GITHUB_TOKEN and NPM_TOKEN from the build environment | xargs rm -f 2>/dev/null || true \
# and persists them in .npmrc files — scrub all of them before the image is finalised.
RUN find /root /home /usr/local/etc -name ".npmrc" -o -name "npmrc" \
| xargs grep -l "_authToken\|_auth\b" 2>/dev/null \
| xargs rm -f 2>/dev/null || true \
&& npm config delete //npm.pkg.github.com/:_authToken 2>/dev/null || true \ && npm config delete //npm.pkg.github.com/:_authToken 2>/dev/null || true \
&& npm config delete //registry.npmjs.org/:_authToken 2>/dev/null || true && npm config delete //registry.npmjs.org/:_authToken 2>/dev/null || true \
&& npm cache clean --force
# Workspace and Claude config dir — owned by the built-in node user (uid 1000). # Workspace and Claude config dir — owned by the built-in node user (uid 1000).
# Pre-creating ~/.claude ensures the named volume is initialised with the # Pre-creating ~/.claude ensures the named volume is initialised with the