From 66136b26a526a0301d8bb3e61ba68435ca29f6f9 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Fri, 5 Sep 2025 15:30:59 -0300 Subject: [PATCH 1/8] (README): fixed descriptions --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2bf60a8..355f0b8 100644 --- a/README.md +++ b/README.md @@ -26,16 +26,16 @@ You can also run prebuilt containers using GitHub Codespaces: We now offer multiple devcontainer configurations to suit different security and development needs: ### **Air-gapped** (`.devcontainer/airgapped/`) - High-security development with complete network isolation. Perfect for analyzing malicious smart contracts, handling sensitive private keys, or working with classified projects that require zero external connectivity. + Complete network isolation. -- **Focus**: Isolated workspace using tmpfs; secure defaults while keeping connectivity +- **Focus**: Isolated workspace using tmpfs without network. - **Includes**: Git, GitHub CLI; security tools available via Dockerfile - **Security**: Capability dropping, AppArmor, no-new-privileges, multiple tmpfs mounts; not read-only - **Network**: Uses bridge networking (no network isolation by default) - **Extensions**: None configured by default (because it fails with `network-none`) ### **Isolated** (`.devcontainer/isolated/`) -**Use case**: Execute untrusted code. Example: job interview. +**Use case**: Use an isolated workspace without copying your environment. - **Focus**: Security hardening with maintained network connectivity and security extensions - **Includes**: Security tools, Foundry, Hardhat, audit tools via Dockerfile @@ -70,7 +70,7 @@ We now offer multiple devcontainer configurations to suit different security and - **Extensions**: All the tools in the ETH Security Toolbox. ### **(EXPERIMENTAL) Paranoid** (`.devcontainer/paranoid/`) -**Use case**: Maximum security isolation with read-only filesystem and ephemeral workspace. Designed for the most security-conscious developers who need to analyze potentially malicious code or work with highly sensitive data. +**Use case**: Maximum security isolation with read-only filesystem and ephemeral workspace. - **Focus**: Strong isolation with read-only filesystem and ephemeral workspace - **Includes**: Git, GitHub CLI; minimal by default From 205684f0f1ff9e901d295c37a06e4c84310cf5f2 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Fri, 5 Sep 2025 16:49:41 -0300 Subject: [PATCH 2/8] refactor: rename `isolated` devcontainer to `hardened` This commit renames the `isolated` devcontainer to `hardened` to more accurately reflect its purpose of providing a security-hardened environment rather than complete network or filesystem isolation. The following changes have been made: - Renamed the `.devcontainer/isolated` directory to `.devcontainer/hardened`. - Updated all references to the `isolated` container in `devcontainer.json` files, `README.md`, and `.github/workflows/main.yml` to use the new `hardened` name. - Standardized the terminology in comments and descriptions to use "hardening" instead of "isolation" where appropriate. - Added security warnings to the `README.md` to clarify the security implications of using devcontainers. This change improves the clarity of the projects documentation and configuration. --- .devcontainer/airgapped/devcontainer.json | 10 ++--- .devcontainer/auditor/devcontainer.json | 4 +- .../eth-security-toolbox/devcontainer.json | 8 ++-- .../{isolated => hardened}/Dockerfile | 0 .../{isolated => hardened}/devcontainer.json | 13 +++--- .devcontainer/legacy/devcontainer.json | 4 +- .devcontainer/minimal/devcontainer.json | 8 ++-- .devcontainer/paranoid/Dockerfile | 6 +-- .devcontainer/paranoid/devcontainer.json | 14 +++---- .github/workflows/main.yml | 18 ++++---- README.md | 42 ++++++++++++------- 11 files changed, 70 insertions(+), 57 deletions(-) rename .devcontainer/{isolated => hardened}/Dockerfile (100%) rename .devcontainer/{isolated => hardened}/devcontainer.json (93%) diff --git a/.devcontainer/airgapped/devcontainer.json b/.devcontainer/airgapped/devcontainer.json index e39cb6e..5607691 100644 --- a/.devcontainer/airgapped/devcontainer.json +++ b/.devcontainer/airgapped/devcontainer.json @@ -55,19 +55,19 @@ "postStartCommand": "echo 'πŸš€ Dev container is ready for Web3 development!'", - // Mount isolation configuration for security and development workflow + // Mount hardening configuration for security and development workflow // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. - // Disables mounting the host workspace into the container for isolation. + // Disables mounting the host workspace into the container for hardening. "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777", - // Sets a workspace path entirely isolated within the container + // Sets a hardened workspace "workspaceFolder": "/workspace", // Docker run arguments for security hardening and resource management "runArgs": [ // Temporary filesystem mounts with security restrictions - // These provide isolated, size-limited temporary storage + // These provide size-limited temporary storage "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory @@ -76,7 +76,7 @@ // This reduces the attack surface by removing unnecessary privileges "--cap-drop=ALL", - // Security options for container isolation + // Security options for container hardening // A few security additions (AppArmor & no new privileges) "--security-opt", "no-new-privileges", // Prevent privilege escalation "--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile diff --git a/.devcontainer/auditor/devcontainer.json b/.devcontainer/auditor/devcontainer.json index 338c3a2..64571be 100644 --- a/.devcontainer/auditor/devcontainer.json +++ b/.devcontainer/auditor/devcontainer.json @@ -58,9 +58,9 @@ } }, - // Mount copying host folder into container, no isolation. + // Mount copying host folder into container, no hardening. "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", - // Sets a workspace path entirely isolated within the container + // Sets a hardened workspace path "workspaceFolder": "/workspace", // Docker run arguments for security hardening and resource management diff --git a/.devcontainer/eth-security-toolbox/devcontainer.json b/.devcontainer/eth-security-toolbox/devcontainer.json index 7c8a970..65df438 100644 --- a/.devcontainer/eth-security-toolbox/devcontainer.json +++ b/.devcontainer/eth-security-toolbox/devcontainer.json @@ -36,9 +36,9 @@ } }, - // Mount copying host folder into container, no isolation. + // Mount copying host folder into container, no hardening. "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", - // Sets a workspace path entirely isolated within the container + // Sets a workspace path entirely hardened within the container "workspaceFolder": "/workspace", // Docker run arguments for security hardening and resource management @@ -48,7 +48,7 @@ // "--read-only", // Temporary filesystem mounts with security restrictions - // These provide isolated, size-limited temporary storage + // These provide hardened, size-limited temporary storage "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory @@ -57,7 +57,7 @@ // This reduces the attack surface by removing unnecessary privileges "--cap-drop=ALL", - // Security options for container isolation + // Security options for container hardening // A few security additions (AppArmor & no new privileges) "--security-opt", "no-new-privileges", // Prevent privilege escalation "--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile diff --git a/.devcontainer/isolated/Dockerfile b/.devcontainer/hardened/Dockerfile similarity index 100% rename from .devcontainer/isolated/Dockerfile rename to .devcontainer/hardened/Dockerfile diff --git a/.devcontainer/isolated/devcontainer.json b/.devcontainer/hardened/devcontainer.json similarity index 93% rename from .devcontainer/isolated/devcontainer.json rename to .devcontainer/hardened/devcontainer.json index 56a26c7..833be0a 100644 --- a/.devcontainer/isolated/devcontainer.json +++ b/.devcontainer/hardened/devcontainer.json @@ -3,7 +3,7 @@ // This is the HARDENED version of TRG's DevContainer - provides enhanced security // with capability dropping, security options, and resource limits while maintaining // network connectivity for development. - "name": "Isolated TRG's DevContainer", + "name": "Hardened TRG's DevContainer", // Build configuration - uses the local Dockerfile in this directory "build": { @@ -23,7 +23,7 @@ // Container environment variables "containerEnv": { "SHELL": "/bin/zsh", // Use zsh as the default shell - "DEVCONTAINER_ID_LABEL": "isolated-web3-devcontainer" // Label for container identification + "DEVCONTAINER_ID_LABEL": "hardened-web3-devcontainer" // Label for container identification }, // Configure tool-specific properties for VS Code @@ -65,19 +65,18 @@ "postStartCommand": "echo 'πŸš€ Dev container is ready for Web3 development!'", - // Mount isolation configuration for security and development workflow + // Mount hardening configuration for security and development workflow // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. - // Disables mounting the host workspace into the container for isolation. + // Disables mounting the host workspace into the container for hardening. "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777", - // Sets a workspace path entirely isolated within the container "workspaceFolder": "/workspace", // Docker run arguments for security hardening and resource management "runArgs": [ // Temporary filesystem mounts with security restrictions - // These provide isolated, size-limited temporary storage + // These provide hardened, size-limited temporary storage "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory @@ -86,7 +85,7 @@ // This reduces the attack surface by removing unnecessary privileges "--cap-drop=ALL", - // Security options for container isolation + // Security options for container hardening // A few security additions (AppArmor & no new privileges) "--security-opt", "no-new-privileges", // Prevent privilege escalation "--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile diff --git a/.devcontainer/legacy/devcontainer.json b/.devcontainer/legacy/devcontainer.json index bece536..4dd064d 100644 --- a/.devcontainer/legacy/devcontainer.json +++ b/.devcontainer/legacy/devcontainer.json @@ -21,10 +21,10 @@ // } }, - // Mount isolation. If you need to extract something from within the container, you can use docker cp, but use it at your own risk. If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. + // Mount hardening. If you need to extract something from within the container, you can use docker cp, but use it at your own risk. If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. // Disables mounting the host workspace into the container. "workspaceMount": "type=tmpfs,destination=/workspace", - // Sets a workspace path entirely isolated within the container + // Sets a workspace path entirely hardened within the container "workspaceFolder": "/home/vscode/quests", "runArgs": [ // Read only filesystem except for explicitly writable volumes (check mounts) diff --git a/.devcontainer/minimal/devcontainer.json b/.devcontainer/minimal/devcontainer.json index 156be46..e296490 100644 --- a/.devcontainer/minimal/devcontainer.json +++ b/.devcontainer/minimal/devcontainer.json @@ -1,6 +1,6 @@ { // For format details, see https://aka.ms/devcontainer.json. - // This is the MINIMAL version of TRG's DevContainer - provides essential security isolation + // This is the MINIMAL version of TRG's DevContainer - provides essential security hardening // with a balanced approach between security and usability for Web3 development. "name": "Minimal TRG's DevContainer", @@ -25,7 +25,7 @@ // } }, - // Mount copying host folder into container, no isolation. + // Mount copying host folder into container, no hardening. "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", "workspaceFolder": "/workspace", @@ -36,7 +36,7 @@ // "--read-only", // Temporary filesystem mounts with security restrictions - // These provide isolated, size-limited temporary storage + // These provide hardened, size-limited temporary storage "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory @@ -45,7 +45,7 @@ // This reduces the attack surface by removing unnecessary privileges "--cap-drop=ALL", - // Security options for container isolation + // Security options for container hardening // A few security additions (AppArmor & no new privileges) "--security-opt", "no-new-privileges", // Prevent privilege escalation "--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile diff --git a/.devcontainer/paranoid/Dockerfile b/.devcontainer/paranoid/Dockerfile index cdf4868..622d929 100644 --- a/.devcontainer/paranoid/Dockerfile +++ b/.devcontainer/paranoid/Dockerfile @@ -1,9 +1,9 @@ # syntax=docker/dockerfile:1.8 # check=error=true # -# ISOLATED TRG DevContainer Dockerfile -# This Dockerfile creates a highly isolated development environment for Web3 security research -# with maximum security isolation, read-only filesystem, and network isolation. +# PARANOID TRG DevContainer Dockerfile +# This Dockerfile creates a highly paranoid development environment for Web3 security research +# with maximum security hardening, read-only filesystem, and network hardening. # # Key security features: # - Non-root user execution diff --git a/.devcontainer/paranoid/devcontainer.json b/.devcontainer/paranoid/devcontainer.json index 2438d74..f7ffc4a 100644 --- a/.devcontainer/paranoid/devcontainer.json +++ b/.devcontainer/paranoid/devcontainer.json @@ -1,7 +1,7 @@ { // For format details, see https://aka.ms/devcontainer.json. - // This is the ISOLATED version of TRG's DevContainer - provides maximum security isolation - // with a read-only filesystem and network isolation for high-security Web3 development. + // This is the hardened version of TRG's DevContainer - provides maximum security hardening + // with a read-only filesystem and network hardening for high-security Web3 development. "name": "(EXPERIMENTAL) Paranoid TRG's DevContainer", // Build configuration - uses the local Dockerfile in this directory @@ -52,16 +52,16 @@ }, // Commands to run during container lifecycle - "initializeCommand": "echo 'Initializing isolated dev container...'", + "initializeCommand": "echo 'Initializing hardened dev container...'", "postStartCommand": "echo 'πŸš€ Dev container is ready for Web3 development!'", - // Workspace configuration - isolated within container + // Workspace configuration - hardened within container "workspaceFolder": "/workspace", - // Mount workspace as tmpfs for complete isolation - no host file access. + // Mount workspace as tmpfs for complete hardening - no host file access. // This ensures that the workspace is ephemeral and does not persist data. "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777", - // Docker run arguments for security and isolation + // Docker run arguments for security and hardening "runArgs": [ // Security hardening - drop all Linux capabilities to reduce attack surface "--cap-drop=ALL", @@ -69,7 +69,7 @@ // Read-only filesystem for maximum security, preventing any persistent changes "--read-only", - // Security options for container isolation + // Security options for container hardening "--security-opt", "no-new-privileges:true", // Prevent privilege escalation from within the container "--security-opt", diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c17b1bf..3e99333 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,7 +21,7 @@ jobs: subFolder: - .devcontainer/auditor - .devcontainer/minimal - - .devcontainer/isolated + - .devcontainer/hardened - .devcontainer/airgapped - .devcontainer/eth-security-toolbox steps: @@ -100,7 +100,7 @@ jobs: push: never - name: Test Auditor Tools - if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && contains(fromJSON('[".devcontainer/auditor", ".devcontainer/isolated", ".devcontainer/airgapped"]'), matrix.subFolder) + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && contains(fromJSON('[".devcontainer/auditor", ".devcontainer/hardened", ".devcontainer/airgapped"]'), matrix.subFolder) uses: devcontainers/ci@v0.3 with: subFolder: ${{ matrix.subFolder }} @@ -114,8 +114,8 @@ jobs: echo "βœ… Auditor tools verification completed" push: never - - name: Test Filesystem Isolation - if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && matrix.subFolder == '.devcontainer/isolated' + - name: Test Filesystem Hardening + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && matrix.subFolder == '.devcontainer/hardened' uses: devcontainers/ci@v0.3 with: subFolder: ${{ matrix.subFolder }} @@ -134,10 +134,10 @@ jobs: else echo "βœ… /workspace does not exist inside the container (no host mount)" fi - echo "βœ… /workspace isolation verification completed" + echo "βœ… /workspace Hardening verification completed" push: never - - name: Test Network Isolation + - name: Test Network Hardening if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && matrix.subFolder == '.devcontainer/airgapped' uses: devcontainers/ci@v0.3 with: @@ -145,9 +145,9 @@ jobs: configFile: ${{ matrix.subFolder }}/devcontainer.json runCmd: | - echo "πŸ§ͺ Testing Network Isolation..." - if (curl -sS https://www.google.com); then echo "❌ Network is not isolated"; exit 1; else echo "βœ… Network is isolated"; fi - echo "βœ… Network isolation verification completed" + echo "πŸ§ͺ Testing Network Hardening..." + if (curl -sS https://www.google.com); then echo "❌ Network is not hardened"; exit 1; else echo "βœ… Network is hardened"; fi + echo "βœ… Network Hardening verification completed" push: never diff --git a/README.md b/README.md index 355f0b8..b024209 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,20 @@ install the most popular tools, so they can all work seamlessly, and at the same by default. If you want to know more and really want to take advantage of these devcontainers, read below. +> [!IMPORTANT] +> Dev Containers can improve your workflow, but they are **not a fully secure environment**. +> If you need to run untrusted or suspicious code, use [GitHub Codespaces](https://github.com/codespaces/new?hide_repo_select=true&ref=main&template_repository=theredguild/devcontainer), GitPod, or a similar remote setup β€” **never run it directly on your machine**. + + +> [!CAUTION] +> **VS Code considerations:** +> +> VS Code does a lot to improve user experience, but that comes with security tradeoffs. For example, by default, VS Code allows API calls to open new terminals, even bypassing the host machine: +> ```bash +> code --command workbench.action.terminal.newLocal +> ``` +> We're working on an article covering all the tricks VS Code uses β€” stay tuned. + ## Quickstart with Devcontainer Wizard You can use any prebuilt container using our [Devcontainer Wizard](https://github.com/theredguild/devcontainer-wizard): @@ -26,20 +40,20 @@ You can also run prebuilt containers using GitHub Codespaces: We now offer multiple devcontainer configurations to suit different security and development needs: ### **Air-gapped** (`.devcontainer/airgapped/`) - Complete network isolation. + Complete network hardening. -- **Focus**: Isolated workspace using tmpfs without network. +- **Focus**: Hardened workspace using tmpfs without network. - **Includes**: Git, GitHub CLI; security tools available via Dockerfile - **Security**: Capability dropping, AppArmor, no-new-privileges, multiple tmpfs mounts; not read-only - **Network**: Uses bridge networking (no network isolation by default) - **Extensions**: None configured by default (because it fails with `network-none`) -### **Isolated** (`.devcontainer/isolated/`) -**Use case**: Use an isolated workspace without copying your environment. +### **Hardened** (`.devcontainer/hardened/`) +**Use case**: Use an hardened workspace without copying your environment. - **Focus**: Security hardening with maintained network connectivity and security extensions - **Includes**: Security tools, Foundry, Hardhat, audit tools via Dockerfile -- **Security**: Capability dropping, AppArmor, no-new-privileges, tmpfs workspace isolation +- **Security**: Capability dropping, AppArmor, no-new-privileges, tmpfs workspace hardening - **Network**: Uses bridge networking (no network isolation by default) - **Extensions**: Comprehensive security extensions (Ethereum Security Bundle, Trail of Bits tools) @@ -48,7 +62,7 @@ We now offer multiple devcontainer configurations to suit different security and - **Focus**: Specialized audit tooling with Docker-in-Docker support - **Includes**: Slither, Mythril, Crytic-compile, Foundry, Hardhat, Echidna -- **Workspace**: Host workspace bind-mounted into `/workspace` (no isolation) +- **Workspace**: Host workspace bind-mounted into `/workspace` - **Features**: Docker-in-Docker, specialized audit extensions, focused toolchain - **Extensions**: Solidity visual auditor, metrics, audit tools, GitLens @@ -58,7 +72,7 @@ We now offer multiple devcontainer configurations to suit different security and - **Focus**: Core tools only, streamlined development environment - **Includes**: Foundry, Hardhat, basic Solidity support, essential Python tools - **Security**: Basic hardening, capability dropping, IPv6 disabled -- **Workspace**: Host workspace bind-mounted into `/workspace` (no isolation) +- **Workspace**: Host workspace bind-mounted into `/workspace` - **Extensions**: Core development extensions only ### **ETH Security Toolbox** (`.devcontainer/eth-security-toolbox/`) @@ -66,16 +80,16 @@ We now offer multiple devcontainer configurations to suit different security and - **Focus**: All the tools in the ETH Security Toolbox. - **Includes**: All the tools in the ETH Security Toolbox. -- **Workspace**: Host workspace bind-mounted into `/workspace` (no isolation) +- **Workspace**: Host workspace bind-mounted into `/workspace` (no hardening) - **Extensions**: All the tools in the ETH Security Toolbox. ### **(EXPERIMENTAL) Paranoid** (`.devcontainer/paranoid/`) -**Use case**: Maximum security isolation with read-only filesystem and ephemeral workspace. +**Use case**: Maximum security hardening with read-only filesystem and ephemeral workspace. -- **Focus**: Strong isolation with read-only filesystem and ephemeral workspace +- **Focus**: Strong hardening with read-only filesystem and ephemeral workspace - **Includes**: Git, GitHub CLI; minimal by default - **Security**: Read-only filesystem, capability dropping, extensive tmpfs mounts for VS Code and caches -- **Network**: No explicit network isolation by default (can be enabled via `--network=none`) +- **Network**: No explicit network hardening by default (can be enabled via `--network=none`) - **Extensions**: None configured by default ### **Legacy** (`.devcontainer/legacy/`) @@ -83,8 +97,8 @@ We now offer multiple devcontainer configurations to suit different security and - **Focus**: Full-featured development environment with comprehensive security tools - **Includes**: Complete tool suite, all security tools, fuzzing tools, analysis tools -- **Security**: Comprehensive hardening; workspace isolated via tmpfs -- **Workspace**: Isolated workspace (tmpfs mount, not host-bound) +- **Security**: Comprehensive hardening; workspace hardened via tmpfs +- **Workspace**: Hardened workspace (tmpfs mount, not host-bound) - **Extensions**: Full extension suite, all security and development tools ## Project Structure @@ -93,7 +107,7 @@ The project supports multiple devcontainer configurations for different use case ``` .devcontainer/ -β”œβ”€β”€ isolated/ # Maximum security isolation +β”œβ”€β”€ hardened/ # Hardened β”œβ”€β”€ airgapped/ # Enhanced security with flexibility β”œβ”€β”€ auditor/ # Specialized audit environment β”œβ”€β”€ minimal/ # Essential tools only From ea85ff55c0393e73ad0bd59ed5a0eff91037a2a0 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Fri, 5 Sep 2025 17:08:28 -0300 Subject: [PATCH 3/8] (devcontainer): added a Codespaces edition for Auditor flavor --- .devcontainer/auditor-codespaces/Dockerfile | 143 ++++++++++++++++++ .../auditor-codespaces/devcontainer.json | 70 +++++++++ 2 files changed, 213 insertions(+) create mode 100644 .devcontainer/auditor-codespaces/Dockerfile create mode 100644 .devcontainer/auditor-codespaces/devcontainer.json diff --git a/.devcontainer/auditor-codespaces/Dockerfile b/.devcontainer/auditor-codespaces/Dockerfile new file mode 100644 index 0000000..f7c865b --- /dev/null +++ b/.devcontainer/auditor-codespaces/Dockerfile @@ -0,0 +1,143 @@ +# syntax=docker/dockerfile:1.10.0 +# check=error=true +# +# AUDITOR TRG DevContainer Dockerfile +# This Dockerfile creates a specialized development environment for smart contract auditing +# with focused tooling, Docker-in-Docker support, and comprehensive security analysis tools. +# +# Key features: +# - Multi-stage build for Echidna binary +# - Specialized audit tools (slither, mythril, crytic-compile) +# - Foundry framework for testing and interaction +# - Hardhat for development workflows +# - Docker-in-Docker support for containerized tools + +# Pull latest Echidna prebuilt image from Crytic +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna AS echidna + +# Base image: Debian 12 (Bookworm) with VS Code DevContainer support +# This provides a stable, development-focused base for auditing work +FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm + +# Switch to root user temporarily for system package installation +USER root + +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + + + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} + +# Install Python 3.12 with uv +RUN uv python install 3.12 + +# Set the default shell to zsh for better development experience +ENV SHELL=/usr/bin/zsh + +# Running everything under zsh for consistency and features +SHELL ["/usr/bin/zsh", "-ic"] + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Go is required for various Web3 tools and Foundry framework +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env + +# Switch to root user temporarily for Node.js installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development and Hardhat +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +RUN chown -R vscode:vscode ${HOME}/.npm + +# Switch back to vscode user for security +USER vscode + +# Install Foundry framework for Ethereum development and testing +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +# Essential for smart contract development and testing during audits +RUN curl -L https://foundry.paradigm.xyz | zsh +RUN foundryup + +# Install Python-based security analysis tools for auditing +# These tools provide comprehensive smart contract security analysis +# Focused on core auditing tools: slither, mythril, crytic-compile +RUN uv tool install slither-analyzer && \ + uv tool install mythril && \ + uv tool install crytic-compile + +# Install Hardhat and Solhint for Ethereum development +# Hardhat is a popular development environment, Solhint provides linting +RUN pnpm install -g hardhat solhint + +# Copy prebuilt Echidna binary from echidna stage to final image +# This provides the prebuilt Echidna tool without rebuilding +COPY --chown=vscode:vscode --from=echidna /usr/local/bin/echidna ${HOME}/.local/bin/echidna +RUN chmod 755 ${HOME}/.local/bin/echidna + +# Switch to non-root user for final setup +USER vscode + +# Set up user environment with Foundry path +# Ensure Foundry tools are available in the user's shell +RUN echo 'export PATH="/usr/local/foundry/bin:$PATH"' >> /home/vscode/.zshrc + +# Switch to root for system cleanup +USER root + +# Clean up package cache and temporary files +# This reduces image size and improves security +RUN apt-get autoremove -y && apt-get clean -y + +# Final switch to vscode user for development +USER vscode \ No newline at end of file diff --git a/.devcontainer/auditor-codespaces/devcontainer.json b/.devcontainer/auditor-codespaces/devcontainer.json new file mode 100644 index 0000000..0cbc5f7 --- /dev/null +++ b/.devcontainer/auditor-codespaces/devcontainer.json @@ -0,0 +1,70 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is the AUDITOR version of TRG's DevContainer - specialized for smart contract auditing + // with Docker-in-Docker support, specialized audit extensions, and focused tooling for + // comprehensive security analysis and code review. + "name": "Auditor for Codespaces TRG's DevContainer", + + // Build configuration - uses the local Dockerfile in this directory + "build": { + "dockerfile": "./Dockerfile" + }, + + // Features to add to the dev container. More info: https://containers.dev/features. + // Specialized features for auditing and development workflows + "features": { + "ghcr.io/devcontainers/features/git:1": {}, // Git version control support + "ghcr.io/devcontainers/features/github-cli:1": {}, // GitHub CLI for repository management + "ghcr.io/devcontainers/features/docker-in-docker:2.12.2": { // Docker-in-Docker for containerized tools + "version": "latest", // Use latest stable version + "enableNonRootDocker": "true" // Enable non-root Docker for security + } + }, + + // Configure tool-specific properties for VS Code + "customizations": { + "vscode": { + // Specialized extensions for smart contract auditing and development + "extensions": [ + // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information + "tintinweb.ethereum-security-bundle", // includes what is listed above ^ + "tintinweb.vscode-ethover", + "trailofbits.weaudit", + "tintinweb.vscode-inline-bookmarks", + "tintinweb.vscode-solidity-language", + "tintinweb.graphviz-interactive-preview", + "NomicFoundation.hardhat-solidity", + "Olympixai.olympix", + "trailofbits.contract-explorer", + "tintinweb.chonky" // Chonky Agent + ], + // VS Code settings optimized for auditing workflows + "settings": { + // Security settings - killswitch for automated tasks + "task.autoDetect": "off", // Disable automatic task detection + "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers + + // Trust and security configuration + "security.workspace.trust.enabled": false, // Trust no one by default + + // Privacy settings - killswitch for telemetry + "telemetry.telemetryLevel": "off", // Disable all telemetry collection + + // Terminal configuration + "terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default + "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } + // Using bash might be more safe and stable, but zsh provides better features + }, + } + }, + + // Mount copying host folder into container, no hardening. + "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", + // Sets a hardened workspace path + "workspaceFolder": "/workspace", + + // Writable mounts in case you want to set --read-only above. + // Currently no additional mounts are configured + "mounts": [ + ] +} \ No newline at end of file From 5e20b59143bbbbe05544d623fde95703def56f90 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Fri, 5 Sep 2025 17:19:30 -0300 Subject: [PATCH 4/8] (codespaces): updated codespaces flavor --- .devcontainer/auditor-codespaces/Dockerfile | 143 ------------------ .../auditor-codespaces/devcontainer.json | 70 --------- .devcontainer/codespaces/devcontainer.json | 41 +++++ .devcontainer/codespaces/motd | 29 ++++ 4 files changed, 70 insertions(+), 213 deletions(-) delete mode 100644 .devcontainer/auditor-codespaces/Dockerfile delete mode 100644 .devcontainer/auditor-codespaces/devcontainer.json create mode 100644 .devcontainer/codespaces/devcontainer.json create mode 100644 .devcontainer/codespaces/motd diff --git a/.devcontainer/auditor-codespaces/Dockerfile b/.devcontainer/auditor-codespaces/Dockerfile deleted file mode 100644 index f7c865b..0000000 --- a/.devcontainer/auditor-codespaces/Dockerfile +++ /dev/null @@ -1,143 +0,0 @@ -# syntax=docker/dockerfile:1.10.0 -# check=error=true -# -# AUDITOR TRG DevContainer Dockerfile -# This Dockerfile creates a specialized development environment for smart contract auditing -# with focused tooling, Docker-in-Docker support, and comprehensive security analysis tools. -# -# Key features: -# - Multi-stage build for Echidna binary -# - Specialized audit tools (slither, mythril, crytic-compile) -# - Foundry framework for testing and interaction -# - Hardhat for development workflows -# - Docker-in-Docker support for containerized tools - -# Pull latest Echidna prebuilt image from Crytic -# Echidna is a fuzzing tool for Ethereum smart contracts -FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna AS echidna - -# Base image: Debian 12 (Bookworm) with VS Code DevContainer support -# This provides a stable, development-focused base for auditing work -FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm - -# Switch to root user temporarily for system package installation -USER root - -# Install essential system packages for development -# These are the minimal packages needed for Web3 development tools -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - bash-completion # Shell completion support \ - build-essential # Compilation tools (gcc, make, etc.) \ - curl # HTTP client for downloading tools \ - git # Version control system \ - jq # JSON processor for tool outputs \ - pkg-config # Package configuration helper \ - sudo # Privilege escalation (needed for some tools) \ - unzip # Archive extraction \ - vim # Text editor \ - wget # Alternative HTTP client \ - zsh # Advanced shell \ - && rm -rf /var/lib/apt/lists/* - - - -# Install Python development dependencies -# Required for Python-based security tools and package management -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - python3-pip # Python package installer \ - libpython3-dev # Python development headers \ - python3-dev # Python development tools \ - python3-venv # Python virtual environment support \ - && rm -rf /var/lib/apt/lists/* - -# Switch to vscode user for security (drop privileges) -# This ensures all subsequent operations run as non-root user -USER vscode -WORKDIR /home/vscode -ENV HOME=/home/vscode - -# Install uv -RUN curl -LsSf https://astral.sh/uv/install.sh | sh - -# Update PATH environment for tool access -# Configure paths for Python, Node.js, and other tools -ENV UV_LOCAL_BIN=$HOME/.cargo/bin -ENV USR_LOCAL_BIN=/usr/local/bin -ENV LOCAL_BIN=${HOME}/.local/bin -ENV PNPM_HOME=${HOME}/.local/share/pnpm -ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} - -# Install Python 3.12 with uv -RUN uv python install 3.12 - -# Set the default shell to zsh for better development experience -ENV SHELL=/usr/bin/zsh - -# Running everything under zsh for consistency and features -SHELL ["/usr/bin/zsh", "-ic"] - -# Install Go programming language through asdf version manager -# asdf provides consistent version management across different tools -# Go is required for various Web3 tools and Foundry framework -RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ - echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ - echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ - echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ - . $HOME/.asdf/asdf.sh && \ - asdf plugin add golang && \ - asdf install golang latest && \ - asdf global golang latest - -# Install Rust programming language -# Required for various Web3 security tools and Foundry framework -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env - -# Switch to root user temporarily for Node.js installation -USER root - -# Install Node.js, npm, yarn, and pnpm through devcontainer features -# These are essential for JavaScript/TypeScript Web3 development and Hardhat -RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash -RUN chown -R vscode:vscode ${HOME}/.npm - -# Switch back to vscode user for security -USER vscode - -# Install Foundry framework for Ethereum development and testing -# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) -# Essential for smart contract development and testing during audits -RUN curl -L https://foundry.paradigm.xyz | zsh -RUN foundryup - -# Install Python-based security analysis tools for auditing -# These tools provide comprehensive smart contract security analysis -# Focused on core auditing tools: slither, mythril, crytic-compile -RUN uv tool install slither-analyzer && \ - uv tool install mythril && \ - uv tool install crytic-compile - -# Install Hardhat and Solhint for Ethereum development -# Hardhat is a popular development environment, Solhint provides linting -RUN pnpm install -g hardhat solhint - -# Copy prebuilt Echidna binary from echidna stage to final image -# This provides the prebuilt Echidna tool without rebuilding -COPY --chown=vscode:vscode --from=echidna /usr/local/bin/echidna ${HOME}/.local/bin/echidna -RUN chmod 755 ${HOME}/.local/bin/echidna - -# Switch to non-root user for final setup -USER vscode - -# Set up user environment with Foundry path -# Ensure Foundry tools are available in the user's shell -RUN echo 'export PATH="/usr/local/foundry/bin:$PATH"' >> /home/vscode/.zshrc - -# Switch to root for system cleanup -USER root - -# Clean up package cache and temporary files -# This reduces image size and improves security -RUN apt-get autoremove -y && apt-get clean -y - -# Final switch to vscode user for development -USER vscode \ No newline at end of file diff --git a/.devcontainer/auditor-codespaces/devcontainer.json b/.devcontainer/auditor-codespaces/devcontainer.json deleted file mode 100644 index 0cbc5f7..0000000 --- a/.devcontainer/auditor-codespaces/devcontainer.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - // For format details, see https://aka.ms/devcontainer.json. - // This is the AUDITOR version of TRG's DevContainer - specialized for smart contract auditing - // with Docker-in-Docker support, specialized audit extensions, and focused tooling for - // comprehensive security analysis and code review. - "name": "Auditor for Codespaces TRG's DevContainer", - - // Build configuration - uses the local Dockerfile in this directory - "build": { - "dockerfile": "./Dockerfile" - }, - - // Features to add to the dev container. More info: https://containers.dev/features. - // Specialized features for auditing and development workflows - "features": { - "ghcr.io/devcontainers/features/git:1": {}, // Git version control support - "ghcr.io/devcontainers/features/github-cli:1": {}, // GitHub CLI for repository management - "ghcr.io/devcontainers/features/docker-in-docker:2.12.2": { // Docker-in-Docker for containerized tools - "version": "latest", // Use latest stable version - "enableNonRootDocker": "true" // Enable non-root Docker for security - } - }, - - // Configure tool-specific properties for VS Code - "customizations": { - "vscode": { - // Specialized extensions for smart contract auditing and development - "extensions": [ - // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information - "tintinweb.ethereum-security-bundle", // includes what is listed above ^ - "tintinweb.vscode-ethover", - "trailofbits.weaudit", - "tintinweb.vscode-inline-bookmarks", - "tintinweb.vscode-solidity-language", - "tintinweb.graphviz-interactive-preview", - "NomicFoundation.hardhat-solidity", - "Olympixai.olympix", - "trailofbits.contract-explorer", - "tintinweb.chonky" // Chonky Agent - ], - // VS Code settings optimized for auditing workflows - "settings": { - // Security settings - killswitch for automated tasks - "task.autoDetect": "off", // Disable automatic task detection - "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers - - // Trust and security configuration - "security.workspace.trust.enabled": false, // Trust no one by default - - // Privacy settings - killswitch for telemetry - "telemetry.telemetryLevel": "off", // Disable all telemetry collection - - // Terminal configuration - "terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default - "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } - // Using bash might be more safe and stable, but zsh provides better features - }, - } - }, - - // Mount copying host folder into container, no hardening. - "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", - // Sets a hardened workspace path - "workspaceFolder": "/workspace", - - // Writable mounts in case you want to set --read-only above. - // Currently no additional mounts are configured - "mounts": [ - ] -} \ No newline at end of file diff --git a/.devcontainer/codespaces/devcontainer.json b/.devcontainer/codespaces/devcontainer.json new file mode 100644 index 0000000..d007e38 --- /dev/null +++ b/.devcontainer/codespaces/devcontainer.json @@ -0,0 +1,41 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is a Dev Container for Github Codespaces based on eth-security-toolbox image created by Trail of Bits + // check https://github.com/trailofbits/eth-security-toolbox for more information. + "name": "codespaces", + + // Build configuration - uses the eth-security-toolbox image + "image": "ghcr.io/trailofbits/eth-security-toolbox:nightly", + // Configure tool-specific properties for VS Code + "customizations": { + "vscode": { + // Specialized extensions for smart contract auditing and development + "extensions": [ + // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information + "tintinweb.ethereum-security-bundle", // includes what is listed above ^ + "tintinweb.vscode-ethover", + "trailofbits.weaudit", + "trailofbits.contract-explorer", + "trailofbits.sarif-explorer" + ], + // VS Code settings optimized for auditing workflows + "settings": { + // Security settings - killswitch for automated tasks + "task.autoDetect": "off", // Disable automatic task detection + "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers + + // Trust and security configuration + "security.workspace.trust.enabled": false, // Trust no one by default + + // Privacy settings - killswitch for telemetry + "telemetry.telemetryLevel": "off", // Disable all telemetry collection + + // Terminal configuration + "terminal.integrated.defaultProfile.linux": "bash" + } + } + }, + + // Sets a workspace path entirely hardened within the container + "workspaceFolder": "/workspace" +} \ No newline at end of file diff --git a/.devcontainer/codespaces/motd b/.devcontainer/codespaces/motd new file mode 100644 index 0000000..f499599 --- /dev/null +++ b/.devcontainer/codespaces/motd @@ -0,0 +1,29 @@ + +β”Œβ”€β”€ β”Œβ”€β”€β” ──┬── +β”œβ”€ └──┐ β”‚ +└──THEREUM─┴──┴ECURITY─┴OOLBOX + +https://github.com/trailofbits/eth-security-toolbox + +by ################ + ##########TRAIL# + #### + #### ########### + #### ########### + \### #### #### + /\\# of #### #### + / \ ############ + \__/ #### #### + \### #### + /\\######### + /__\\##BITS# + +Security Tools and Resources Installed: + +https://github.com/crytic/echidna +https://github.com/crytic/medusa +https://github.com/crytic/slither +https://github.com/crytic/building-secure-contracts + +Use `solc-select` to switch between different versions of `solc` + From e983407437a458b284d9a33de4f69f476f976702 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Fri, 5 Sep 2025 17:25:51 -0300 Subject: [PATCH 5/8] (codespaces): updated codespaces flavor --- .devcontainer/codespaces/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/codespaces/devcontainer.json b/.devcontainer/codespaces/devcontainer.json index d007e38..b72269d 100644 --- a/.devcontainer/codespaces/devcontainer.json +++ b/.devcontainer/codespaces/devcontainer.json @@ -2,7 +2,7 @@ // For format details, see https://aka.ms/devcontainer.json. // This is a Dev Container for Github Codespaces based on eth-security-toolbox image created by Trail of Bits // check https://github.com/trailofbits/eth-security-toolbox for more information. - "name": "codespaces", + "name": "Codespaces TRG's DevContainer", // Build configuration - uses the eth-security-toolbox image "image": "ghcr.io/trailofbits/eth-security-toolbox:nightly", From bc47cac70dd5b846f0a070ac613a03e5d6baf740 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Fri, 5 Sep 2025 17:28:02 -0300 Subject: [PATCH 6/8] (codespaces): updated codespaces flavor --- .devcontainer/codespaces/devcontainer.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/.devcontainer/codespaces/devcontainer.json b/.devcontainer/codespaces/devcontainer.json index b72269d..c1bc01e 100644 --- a/.devcontainer/codespaces/devcontainer.json +++ b/.devcontainer/codespaces/devcontainer.json @@ -35,7 +35,4 @@ } } }, - - // Sets a workspace path entirely hardened within the container - "workspaceFolder": "/workspace" } \ No newline at end of file From 2dd6bbb37c22411ef13ba2adb3cdca5d2a10aaed Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Fri, 5 Sep 2025 17:33:40 -0300 Subject: [PATCH 7/8] (readme): updated readme to cover codespaces variant --- README.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b024209..4c6518c 100644 --- a/README.md +++ b/README.md @@ -23,17 +23,18 @@ below. > ``` > We're working on an article covering all the tricks VS Code uses β€” stay tuned. +## Quickstart with Github Codespaces + +You can also run our prebuilt container intended for GitHub Codespaces: + +[![Open in Codespaces](https://github.com/codespaces/badge.svg)](https://github.com/codespaces/new?hide_repo_select=true&ref=main&template_repository=theredguild%2Fdevcontainer&skip_quickstart=true&repo=772110522&machine=basicLinux32gb&geo=UsEast&devcontainer_path=.devcontainer%2Fcodespaces%2Fdevcontainer.json) + ## Quickstart with Devcontainer Wizard You can use any prebuilt container using our [Devcontainer Wizard](https://github.com/theredguild/devcontainer-wizard): ![Simple wizard Example](./assets/wizard.gif) -## Quickstart with Github Codespaces - -You can also run prebuilt containers using GitHub Codespaces: - -[![Open in Codespaces](https://github.com/codespaces/badge.svg)](https://github.com/codespaces/new?hide_repo_select=true&ref=main&template_repository=theredguild/devcontainer) ## Available Devcontainer Variants @@ -83,6 +84,10 @@ We now offer multiple devcontainer configurations to suit different security and - **Workspace**: Host workspace bind-mounted into `/workspace` (no hardening) - **Extensions**: All the tools in the ETH Security Toolbox. +### **Codespaces** (`.devcontainer/codespaces/`) + +Intended for use with GitHub Codespaces, is like `eth-security-toolbox` variant without `runArgs`. + ### **(EXPERIMENTAL) Paranoid** (`.devcontainer/paranoid/`) **Use case**: Maximum security hardening with read-only filesystem and ephemeral workspace. From 0b1c425f225c4e297434b410d362b8d30f84edd6 Mon Sep 17 00:00:00 2001 From: dantesito <84307018+d4rm5@users.noreply.github.com> Date: Fri, 5 Sep 2025 17:54:56 -0300 Subject: [PATCH 8/8] Revise security notes and GitHub Codespaces section --- README.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4c6518c..327f425 100644 --- a/README.md +++ b/README.md @@ -11,19 +11,15 @@ below. > [!IMPORTANT] > Dev Containers can improve your workflow, but they are **not a fully secure environment**. -> If you need to run untrusted or suspicious code, use [GitHub Codespaces](https://github.com/codespaces/new?hide_repo_select=true&ref=main&template_repository=theredguild/devcontainer), GitPod, or a similar remote setup β€” **never run it directly on your machine**. +> If you need to run untrusted or suspicious code, use GitHub Codespaces, GitPod, or a similar remote setup β€” **never run it directly on your machine**. > [!CAUTION] > **VS Code considerations:** > -> VS Code does a lot to improve user experience, but that comes with security tradeoffs. For example, by default, VS Code allows API calls to open new terminals, even bypassing the host machine: -> ```bash -> code --command workbench.action.terminal.newLocal -> ``` -> We're working on an article covering all the tricks VS Code uses β€” stay tuned. +> VS Code does a lot to improve user experience, but that doesn't come without security tradeoffs. VS Code might allow API calls that can lead to running arbitrary commands on the host machine, and by default, it shares sockets such as the gpg-agent’s, which means keys stored outside the container can be used for signing. This opens the door to blind-signing commits scenarios, where a process inside the container may trigger signatures without the user’s full awareness. If you want to deep dive into these "tricks", we're working on an article covering the most relevant of them β€” stay tuned. -## Quickstart with Github Codespaces +## Quickstart with GitHub Codespaces You can also run our prebuilt container intended for GitHub Codespaces: