feat(devcontainers): add initial dev containers configs #61
Conversation
![ai-coding-guardrails[bot]](https://avatars.githubusercontent.com/in/1202546?s=60&v=4){kind=small}
There was a problem hiding this comment.
I've got 3 comments for you to consider
Reviewed with 🤟 by Zenable
| "DEV_MODE": "true", | ||
| "PYTHONPATH": "/workspace/src" | ||
| }, | ||
| "remoteUser": "root" |
There was a problem hiding this comment.
Running as root user in development containers poses security risks. Consider creating and using a non-privileged user instead.
| "remoteUser": "root" | |
| "remoteUser": "vscode" |
| network_mode: host | ||
| # Add capabilities needed for debugging | ||
| cap_add: | ||
| - SYS_PTRACE | ||
| security_opt: | ||
| - seccomp:unconfined |
There was a problem hiding this comment.
Critical Security Risk: The combination of network_mode: host, SYS_PTRACE capability, and seccomp:unconfined creates significant security vulnerabilities by:
- Bypassing Docker's network isolation
- Allowing process tracing of host processes
- Disabling syscall filtering
For development containers, consider using port mapping instead of host networking and removing these privileged settings unless absolutely necessary for specific debugging scenarios.
| --cap-add SYS_PTRACE \ | ||
| --security-opt seccomp=unconfined \ |
There was a problem hiding this comment.
The combination of --cap-add SYS_PTRACE and --security-opt seccomp=unconfined significantly reduces container security by disabling security restrictions and allowing process tracing capabilities. Consider using more specific capabilities or security profiles if debugging features are needed, or document why these broad permissions are required for development.
Contributor Comments
This adds initial dev containers support, based on a talk from DevOps Days DC 2025 🚀
Pull Request Checklist
Thank you for submitting a contribution!
Please address the following items: