diff --git a/src/bun/README.md b/src/bun/README.md index a5c5941..83f79da 100644 --- a/src/bun/README.md +++ b/src/bun/README.md @@ -1,7 +1,7 @@ # Bun (bun) -Minimal, supply-chain-secure dev container with Bun for JS/TypeScript. +Security-focused Bun dev container for JS/TS with hardened defaults and cached installs. ## Options @@ -9,6 +9,32 @@ Minimal, supply-chain-secure dev container with Bun for JS/TypeScript. |-----|-----|-----|-----| | imageVariant | Bun version and Debian version | string | 1-trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/bun` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +Bun's global install cache is persisted in a named volume, so rebuilding the container to pick up image updates doesn't require re-downloading packages: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-bun-install-cache` | `/home/dev/.bun/install/cache` | Bun's global install cache | + +## Editor Integration + +- Installs the `oven.bun-vscode` VS Code extension, with `bun.runtime` preconfigured to the Bun binary shipped in the image (`/usr/local/bin/bun`). + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/debian/README.md b/src/debian/README.md index 7216633..a03ccd8 100644 --- a/src/debian/README.md +++ b/src/debian/README.md @@ -1,7 +1,7 @@ # Debian (debian) -Minimal, supply-chain-secure Debian base for any development stack. +Security-focused minimal Debian base for any stack, with hardened container defaults. ## Options @@ -9,6 +9,28 @@ Minimal, supply-chain-secure Debian base for any development stack. |-----|-----|-----|-----| | imageVariant | Debian version | string | trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/debian` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Usage Notes + +This template is a minimal Debian base for any development stack — no language toolchain is preinstalled. To add tooling, you can: + +- layer [Dev Container Features](https://containers.dev/features) on top of the image, +- extend the image with your own `Dockerfile`, or +- switch to a stack-specific Bare Dev Container template (Go, Rust, Node.js, ...). + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/golang/README.md b/src/golang/README.md index 1015654..bf8fb76 100644 --- a/src/golang/README.md +++ b/src/golang/README.md @@ -1,7 +1,7 @@ # Go (golang) -Minimal, supply-chain-secure dev container with Go toolchain. +Security-focused Go dev container with hardened defaults and rebuild-friendly caches. ## Options @@ -9,6 +9,35 @@ Minimal, supply-chain-secure dev container with Go toolchain. |-----|-----|-----|-----| | imageVariant | Go version and Debian version | string | 1.26-trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/golang` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +The Go module and build caches are persisted in named volumes, so rebuilding the container to pick up image updates doesn't require re-downloading modules or recompiling packages: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-golang-pkg-mod` | `/home/dev/go/pkg/mod` | Go module cache (`GOMODCACHE`) | +| `${devcontainerId}-golang-build-cache` | `/home/dev/.cache/go-build` | Go build cache (`GOCACHE`) | + +## Editor Integration + +- Installs the `golang.go` VS Code extension, with format-on-save and organize-imports enabled for Go files and gopls semantic tokens turned on. +- Automatic updates of the Go tools are disabled (`go.toolsManagement.autoUpdate: false`, update checks are local only), so the editor does not download tools behind your back. + +## Tips + +- To use the debugger (delve), uncomment `"capAdd": ["SYS_PTRACE"]` in `devcontainer.json`. +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/mise/README.md b/src/mise/README.md index b2348ec..7ae94da 100644 --- a/src/mise/README.md +++ b/src/mise/README.md @@ -1,7 +1,7 @@ # mise (mise) -Minimal, supply-chain-secure dev container with mise for multiple runtimes. +Security-focused mise dev container for multiple runtimes, with rebuild-friendly caches. ## Options @@ -9,6 +9,40 @@ Minimal, supply-chain-secure dev container with mise for multiple runtimes. |-----|-----|-----|-----| | imageVariant | Debian version | string | trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/mise` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +mise's data directory and download cache are persisted in named volumes, so toolchains installed with mise survive container rebuilds and don't need to be re-downloaded: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-mise-data` | `/home/dev/.local/share/mise` | mise-managed toolchains | +| `${devcontainerId}-mise-cache` | `/home/dev/.cache/mise` | mise's download cache | + +## Usage Notes + +[mise](https://mise.jdx.dev/) is a polyglot runtime manager. Install and pin the runtimes your project needs, for example: + +```sh +mise use node@24 +mise use python@3.13 +``` + +The installed runtimes are stored in the persisted data volume, so they remain available after rebuilding the container. + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/node/README.md b/src/node/README.md index 9a2639c..ee339e3 100644 --- a/src/node/README.md +++ b/src/node/README.md @@ -1,7 +1,7 @@ # Node.js (node) -Minimal, supply-chain-secure Node.js dev container for JS/TypeScript. +Security-focused Node.js dev container for JS/TS with hardened, non-root defaults. ## Options @@ -9,6 +9,30 @@ Minimal, supply-chain-secure Node.js dev container for JS/TypeScript. |-----|-----|-----|-----| | imageVariant | Node.js version and Debian version | string | 26-trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/node` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Tips + +- To keep npm's download cache across container rebuilds, add a named volume to `mounts` in `devcontainer.json`: + + ```json + { + "source": "${devcontainerId}-npm-cache", + "target": "/home/dev/.npm", + "type": "volume" + } + ``` + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/rust/README.md b/src/rust/README.md index 834427e..eb7ae4b 100644 --- a/src/rust/README.md +++ b/src/rust/README.md @@ -1,7 +1,7 @@ # Rust (rust) -Minimal, supply-chain-secure dev container with Rust. +Security-focused Rust dev container with rust-analyzer and persistent Cargo caches. ## Options @@ -9,6 +9,36 @@ Minimal, supply-chain-secure dev container with Rust. |-----|-----|-----|-----| | imageVariant | Debian version | string | trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/rust` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +Cargo's registry and git caches are persisted in named volumes, so rebuilding the container to pick up image updates doesn't require re-downloading crates: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-rust-cargo-registry` | `/home/dev/.cargo/registry` | Cargo registry cache | +| `${devcontainerId}-rust-cargo-git` | `/home/dev/.cargo/git` | Cargo's cache of git-sourced dependencies | + +Only `registry/` and `git/` are mounted; `~/.cargo/bin` is intentionally left in the image layer so the toolchain binaries always come from the image. + +## Editor Integration + +- Installs the `rust-lang.rust-analyzer` VS Code extension, with format-on-save enabled for Rust files. + +## Tips + +- To use the debugger, uncomment `"capAdd": ["SYS_PTRACE"]` in `devcontainer.json`. +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/terraform/README.md b/src/terraform/README.md index 09407ea..5ff502c 100644 --- a/src/terraform/README.md +++ b/src/terraform/README.md @@ -1,7 +1,7 @@ # Terraform (terraform) -Minimal, supply-chain-secure dev container with Terraform CLI and terraform-ls. +Security-focused Terraform dev container with terraform-ls and rebuild-friendly caching. ## Options @@ -9,6 +9,32 @@ Minimal, supply-chain-secure dev container with Terraform CLI and terraform-ls. |-----|-----|-----|-----| | imageVariant | Terraform version and Debian version | string | 1-trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/terraform` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +The Terraform plugin cache directory is persisted in a named volume, so rebuilding the container to pick up image updates doesn't require re-downloading providers: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-terraform-plugin-cache` | `/home/dev/.terraform.d/plugin-cache` | Terraform provider plugin cache | + +## Editor Integration + +- Installs the `hashicorp.terraform` and `hashicorp.hcl` VS Code extensions, with the language server paths preconfigured to the `terraform-ls` and `terraform` binaries shipped in the image, and format-on-save enabled for `.tf` and `.tfvars` files. + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/uv/README.md b/src/uv/README.md index 7743a96..2c3cde0 100644 --- a/src/uv/README.md +++ b/src/uv/README.md @@ -1,7 +1,7 @@ # Python (uv) (uv) -Minimal, supply-chain-secure Python dev container with uv. +Security-focused Python dev container with uv, hardened defaults, and cached packages. ## Options @@ -9,6 +9,42 @@ Minimal, supply-chain-secure Python dev container with uv. |-----|-----|-----|-----| | imageVariant | Debian version | string | trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/uv` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +uv's cache is persisted in a named volume, so Python interpreters and packages downloaded by uv survive container rebuilds: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-uv-cache` | `/home/dev/.cache/uv` | uv's cache of downloaded Python interpreters and packages | + +## Usage Notes + +[uv](https://docs.astral.sh/uv/) manages Python versions, virtual environments, and packages. For example: + +```sh +uv python install 3.13 # install a Python interpreter +uv venv # create a virtual environment +uv sync # install project dependencies +``` + +## Editor Integration + +- Installs the `ms-python.python` and `charliermarsh.ruff` VS Code extensions, with Ruff as the default formatter and fix-all/organize-imports run on save for Python files. + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. --- diff --git a/src/zig/README.md b/src/zig/README.md index 3ede988..504a122 100644 --- a/src/zig/README.md +++ b/src/zig/README.md @@ -1,7 +1,7 @@ # Zig (zig) -Minimal, supply-chain-secure dev container with Zig. +Security-focused Zig dev container with zls integration and a persistent build cache. ## Options @@ -9,6 +9,33 @@ Minimal, supply-chain-secure dev container with Zig. |-----|-----|-----|-----| | imageVariant | Zig version and Debian version | string | 0.16-trixie | +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/zig` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +The Zig global cache is persisted in a named volume, so rebuilding the container to pick up image updates doesn't require re-downloading packages or recompiling dependencies: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-zig-global-cache` | `/home/dev/.cache/zig` | Zig global cache | + +## Editor Integration + +- Installs the `ziglang.vscode-zig` VS Code extension, with the `zig` and `zls` paths preconfigured to the binaries shipped in the image and the Zig Language Server (zls) enabled. + +## Tips + +- To use the debugger, uncomment `"capAdd": ["SYS_PTRACE"]` in `devcontainer.json`. +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. ---