[docker] Add Trivy security scanning and enhance container security

.github/workflows/docker.yml

@@ -92,6 +92,21 @@ jobs:
           docker pull ghcr.io/${{ github.repository }}:${TAG}
           docker tag ghcr.io/${{ github.repository }}:${TAG} llm-proxy:${TAG}
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'llm-proxy:${{ steps.set_tag.outputs.name }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        continue-on-error: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+        continue-on-error: true
+
       - name: Smoke test using Makefile (run + health)
         run: |
           make docker-smoke IMAGE=llm-proxy:${{ steps.set_tag.outputs.name }}

Dockerfile

@@ -21,10 +21,10 @@ ENV CGO_ENABLED=1
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     GOMODCACHE=/go/pkg/mod \
-    go build -ldflags "-w" -trimpath -o /llm-proxy ./cmd/proxy
+    go build -ldflags "-w -s -extldflags '-static'" -a -trimpath -o /llm-proxy ./cmd/proxy
 
 # Use a small alpine image for the final container
-FROM alpine:3.18
+FROM alpine:3.20
 
 # Security: Add only required runtime libraries
 RUN --mount=type=cache,target=/var/cache/apk apk add ca-certificates tzdata sqlite-libs wget

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build test test-coverage test-coverage-ci test-watch test-coverage-watch test-dev lint clean tools dev-setup db-setup run docker docker-build docker-run docker-smoke docker-stop swag test-benchmark coverage
+.PHONY: all build test test-coverage test-coverage-ci test-watch test-coverage-watch test-dev lint clean tools dev-setup db-setup run docker docker-build docker-run docker-smoke docker-scan docker-stop swag test-benchmark coverage
 
 # Go parameters
 GOCMD=go
@@ -112,6 +112,14 @@ docker-smoke:
 	docker logs llm-proxy || true; \
 	exit 1
 
+docker-scan:
+	@echo "Running Trivy security scan on llm-proxy:latest..."
+	@if command -v trivy >/dev/null 2>&1; then \
+	  trivy image --severity HIGH,CRITICAL llm-proxy:latest; \
+	else \
+	  echo "Trivy not installed. Install with: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin"; \
+	fi
+
 
 # API documentation
 swag:

README.md

@@ -261,6 +261,7 @@ This ensures both the proxy and dispatcher share events via Redis, enabling full
 make docker-build
 make docker-run
 make docker-smoke
+make docker-scan  # Run Trivy security scan
 ```
 
 ### Publishing

docs/issues/phase-6-docker-optimization.md

@@ -17,16 +17,20 @@ Optimize the Dockerfile and containerization setup for the LLM proxy. This inclu
 - [x] Document Docker build and deployment process
 - [x] Add tests for Docker builds and health checks (CI smoke test in `.github/workflows/docker.yml`)
 - [x] Build and publish Docker image to GitHub Container Registry (GHCR)
+- [x] Add Trivy security scanning to CI pipeline and Makefile
 
 ## Acceptance Criteria
 - Dockerfile is multi-stage and optimized
 - Volumes and health checks are properly configured
 - Security best practices are followed
+- Security scanning (Trivy) integrated in CI
 - Documentation and tests are updated accordingly 
 - CI builds and publishes multi-arch images to `ghcr.io/sofatutor/llm-proxy`
 
 ## Notes
 - Removed unnecessary `redis` package from runtime image; Redis runs as a separate service.
 - Added `.dockerignore` to reduce build context.
-- Makefile targets: `docker-build`, `docker-run`, `docker-smoke` for local validation.
-- Added GitHub Actions workflow `.github/workflows/docker.yml` to build multi-arch image and push to GHCR on `main` and tags.
+- Makefile targets: `docker-build`, `docker-run`, `docker-smoke`, `docker-scan` for local validation.
+- Added GitHub Actions workflow `.github/workflows/docker.yml` to build multi-arch image and push to GHCR on `main` and tags.
+- Integrated Trivy security scanning in CI pipeline with results uploaded to GitHub Security tab.
+- Enhanced Dockerfile with additional security build flags.

test/docker_test.go

@@ -0,0 +1,64 @@
+package test
+
+import (
+	"os/exec"
+	"testing"
+)
+
+// TestDockerScanTarget verifies the docker-scan Makefile target exists and can be executed
+func TestDockerScanTarget(t *testing.T) {
+	// Test that make docker-scan target exists and has proper syntax
+	cmd := exec.Command("make", "-n", "docker-scan")
+	cmd.Dir = ".."
+
+	output, err := cmd.Output()
+	if err != nil {
+		t.Fatalf("Failed to run 'make -n docker-scan': %v", err)
+	}
+
+	expectedCommands := []string{
+		"echo \"Running Trivy security scan on llm-proxy:latest...\"",
+		"trivy image --severity HIGH,CRITICAL llm-proxy:latest",
+	}
+
+	outputStr := string(output)
+	for _, expected := range expectedCommands {
+		if !contains(outputStr, expected) {
+			t.Errorf("Expected command not found in make output: %s", expected)
+		}
+	}
+}
+
+// TestDockerfileEnhancements verifies the Dockerfile contains security enhancements
+func TestDockerfileEnhancements(t *testing.T) {
+	dockerfile := "../Dockerfile"
+
+	// Read and check Dockerfile content
+	cmd := exec.Command("grep", "-E", "(alpine:3\\.20|\\-s \\-extldflags)", dockerfile)
+	output, err := cmd.Output()
+	if err != nil {
+		t.Fatalf("Failed to verify Dockerfile enhancements: %v", err)
+	}
+
+	outputStr := string(output)
+	if !contains(outputStr, "alpine:3.20") && !contains(outputStr, "-s -extldflags") {
+		t.Error("Expected Dockerfile security enhancements not found")
+	}
+}
+
+// contains checks if a string contains a substring
+func contains(str, substr string) bool {
+	return len(str) >= len(substr) && 
+		   str[len(str)-len(substr):] == substr ||
+		   str[:len(substr)] == substr ||
+		   findInString(str, substr)
+}
+
+func findInString(str, substr string) bool {
+	for i := 0; i <= len(str)-len(substr); i++ {
+		if str[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}