MCP servers bundle their own copies of vulnerable packages. After global
install, patch nested node_modules in each server directly:
- @modelcontextprotocol/sdk 1.0.1 → 1.25.2 (CVE-2025-66414, CVE-2026-0621)
- picomatch 4.0.3 → 4.0.4 (CVE-2026-33671)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dhi.io is unreachable on the company network, blocking apk during build.
Trivy scanning in CI provides vulnerability coverage in the meantime.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
trivy-action@v0.35.0 expects trivy pre-installed in the runner environment.
Switch to docker run aquasec/trivy:0.69.3 which uses the Docker daemon
already available in the pipeline. Pin version via TRIVY_IMAGE env var.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Scan job: run Trivy before the security gate to emit a CycloneDX SBOM
for each image (exit-code 0), then run the HIGH/CRITICAL gate as before.
SBOMs are uploaded as a pipeline artifact (90-day retention) with
if: always() so they're available even when the security gate fails.
Build job: add sbom: true and provenance: true to both build-push steps
so BuildKit attaches SBOM and provenance attestations to the image
manifest in the registry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a scan job between check-docker and build-and-push. Builds each image
locally (no push, current platform only), runs Trivy v0.35.0 against it,
and fails on unfixed HIGH/CRITICAL CVEs. build-and-push only runs if both
scans pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Docker Desktop requires a commercial licence for business use. Replace all
references with free alternatives:
- macOS: Rancher Desktop (GUI) or Colima (CLI)
- Linux: Docker Engine CE (no Desktop needed at all)
- Windows: Rancher Desktop or WSL2 + Docker Engine
setup.sh detects the OS and shows platform-specific install instructions.
claude.sh defers to setup.sh for install hints to avoid duplication.
README documents all options including a WSL2 setup walkthrough.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The kubectl_api ACL allowed CONNECT tunnels to any host on port 6443,
bypassing the domain allowlist entirely. Remove it and require cluster
hostnames to be added explicitly to allowed_sites instead.
Also remove the localhost and .local entries — these aren't needed for
Claude Code or the configured MCP servers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove webui from architecture, commands, and security table.
Update auth option 3 to reference ~/.claude instead of claude-config volume.
Drop stale registry path comment and web interface section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update image references from registry.zeidler.dev/docker/playground to
registry.zeidler.dev/docker-public/playground in docker-compose.yml and build.sh.
Also bind-mount ${HOME}/.claude instead of using the claude-config named volume.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Run from the project directory you want to work on; claude.sh mounts
it automatically. Removes WORKSPACE_DIR env var support and the
named claude-secure-workspace Docker volume.
Install four MCP servers globally in the claude image:
@modelcontextprotocol/server-github → mcp-server-github
@yoda.digital/gitlab-mcp-server → gitlab-mcp-server
@aashari/mcp-server-atlassian-jira → mcp-atlassian-jira
@aashari/mcp-server-atlassian-confluence → mcp-atlassian-confluence
Wire them in managed-settings.json via mcpServers with env var
pass-through. Jira and Confluence share ATLASSIAN_* credentials.
Add api.github.com, .gitlab.com, .atlassian.net to the squid
allowlist. All credentials are optional — servers are skipped
if the relevant env vars are unset.
Add permissions.allow to managed-settings.json for Bash(*), Edit(*),
and Write(*). Claude Code will not prompt for confirmation on shell
commands or file writes inside the container.
Add /etc/claude-code/managed-settings.json with availableModels set to
the three Anthropic model families. The file is root-owned inside the
container so the node user cannot modify it. Managed settings cannot be
bypassed via --model flag, /model command, or ANTHROPIC_MODEL env var.
