Merge pull request #1 from 02ez/copilot/fix-53426d94-92c8-4134-9b70-d3cb3c8922fb

Implement comprehensive devcontainer security hardening with multiple configuration options

Author: 02ez

.devcontainer/Dockerfile.hardened

@@ -0,0 +1,24 @@
+# Security-hardened Dockerfile for devcontainer
+# Uses specific pinned versions for security
+
+# Use specific pinned version instead of "latest" or "dev"
+ARG VARIANT="1.0.19-22-bullseye"
+FROM mcr.microsoft.com/devcontainers/javascript-node:${VARIANT}
+
+# Set security-focused environment variables
+ENV NODE_ENV=development
+ENV NPM_CONFIG_AUDIT_LEVEL=moderate
+
+# Update packages and install security updates only
+USER root
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get autoremove -y \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Switch back to non-root user for security
+USER node
+
+# Set working directory
+WORKDIR /workspaces/docs

.devcontainer/README.md

@@ -0,0 +1,104 @@
+# Devcontainer Security Hardening
+
+This directory contains security-hardened devcontainer configurations for the GitHub Docs project. These configurations follow security best practices to minimize potential attack vectors while maintaining development functionality.
+
+## Available Configurations
+
+### 1. Default Configuration (`devcontainer.json`)
+- **Security Level**: Moderate
+- **Use Case**: Standard development with basic security hardening
+- **Key Security Features**:
+  - Removed SSH daemon access
+  - Pinned GitHub CLI version
+  - Disabled automatic git fetching
+  - Removed external repository permissions
+  - Disabled automatic server startup
+  - Commented out automatic port visibility
+
+### 2. Hardened Configuration (`devcontainer.hardened.json`)
+- **Security Level**: High
+- **Use Case**: Security-focused development with minimal features
+- **Key Security Features**:
+  - Minimal extension set
+  - No automatic command execution
+  - Manual dependency installation required
+  - Reduced resource allocation
+  - Explicit security-focused naming
+
+### 3. Team A Secure Configuration (`team-a-secure/devcontainer.json`)
+- **Security Level**: High
+- **Use Case**: Team-specific secure configuration
+- **Key Security Features**:
+  - Team-specific extension subset
+  - Manual setup required
+  - Reduced resource requirements
+
+### 4. Team B Secure Configuration (`team-b-secure/devcontainer.json`)
+- **Security Level**: Maximum
+- **Use Case**: Ultra-secure development environment
+- **Key Security Features**:
+  - Minimal extension set (only essential linting)
+  - No automatic commands whatsoever
+  - Workspace trust required
+  - Git sync confirmation required
+  - Minimal resource allocation
+
+## Security Improvements
+
+### Removed Security Risks
+1. **SSH Daemon**: Removed `"sshd": "latest"` feature that provided remote access
+2. **External Repository Access**: Removed automatic permissions for `github/docs-early-access`
+3. **Automatic Command Execution**: Minimized or removed automatic lifecycle commands
+4. **Unpinned Versions**: Changed `"latest"` to specific pinned versions
+5. **Auto-fetching**: Disabled automatic git fetch operations
+
+### Enhanced Security Features
+1. **Version Pinning**: All features use specific versions instead of "latest"
+2. **Minimal Extensions**: Reduced extension sets to only essential tools
+3. **Manual Operations**: Require manual approval for sensitive operations
+4. **Resource Limits**: Reduced resource allocation where appropriate
+5. **Non-root User**: Maintained non-root user execution
+
+## Usage
+
+### Selecting a Configuration
+When creating a codespace, you can choose from the available configurations:
+- Default project configuration (moderately hardened)
+- Team A codespace config (highly secure)
+- Team B codespace config (maximum security)
+
+### Manual Setup Requirements
+For security-hardened configurations:
+1. Install dependencies: `npm ci`
+2. Start the development server: `npm start`
+3. Configure port visibility manually if needed: `gh cs ports visibility 4000:public`
+
+## Security Best Practices
+
+1. **Review Configuration**: Always review devcontainer configurations before use
+2. **Minimal Permissions**: Only grant necessary permissions and features  
+3. **Manual Operations**: Prefer manual over automatic operations for sensitive tasks
+4. **Version Pinning**: Use specific versions instead of "latest" tags
+5. **Regular Updates**: Keep pinned versions updated but test changes thoroughly
+
+## Migration Guide
+
+### From Standard to Hardened Configuration
+1. Switch to `devcontainer.hardened.json` or team-specific configuration
+2. Install dependencies manually: `npm ci`
+3. Start development server manually: `npm start`
+4. Configure port visibility if needed: `gh cs ports visibility 4000:public`
+
+### Custom Team Configurations
+To create a custom secure configuration:
+1. Copy an existing team configuration
+2. Customize extensions and settings for your team's needs
+3. Follow the minimal permissions principle
+4. Test the configuration thoroughly
+
+## Security Considerations
+
+- These configurations prioritize security over convenience
+- Some automatic features have been disabled and require manual intervention
+- External repository access must be granted explicitly when needed
+- Review and approve all configuration changes through your security review process

.devcontainer/devcontainer.hardened.json

@@ -0,0 +1,69 @@
+// Hardened devcontainer configuration for enhanced security
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.177.0/containers/javascript-node
+// - Security hardened version with minimal features and restricted access
+{
+  "name": "docs.github.com (Security Hardened)",
+  "build": {
+    "dockerfile": "Dockerfile.hardened",
+    // Use specific Node version instead of generic variant
+    "args": { "VARIANT": "22" }
+  },
+
+  // Minimal features - removed SSH daemon for security
+  "features": {
+    // Only essential GitHub CLI, pinned to specific version
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "version": "2.40.1"
+    }
+  },
+
+  "customizations": {
+    "vscode": {
+      // Set *default* container specific settings.json values on container create.
+      "settings": {
+        "terminal.integrated.shell.linux": "/bin/bash",
+        "cSpell.language": ",en",
+        // Disable auto-fetch for security - manual fetching required
+        "git.autofetch": false
+      },
+      // Minimal essential extensions only - removed potential security risks
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "sissel.shopify-liquid", 
+        "davidanson.vscode-markdownlint",
+        "bierner.markdown-preview-github-styles",
+        "streetsidesoftware.code-spell-checker"
+        // Removed extensions that could pose security risks:
+        // - Custom extensions that might have privileged access
+        // - GitHub Copilot extensions (can be added manually if needed)
+      ]
+    }
+    // Removed codespaces repository permissions for security
+    // External repository access must be granted manually
+  },
+
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  "forwardPorts": [4000],
+
+  "portsAttributes": {
+    "4000": {
+      "label": "Review"
+    }
+  },
+
+  // Security hardened lifecycle commands - minimal automatic execution
+  // Manual setup required for enhanced security
+  "onCreateCommand": "echo 'Security hardened container created. Run npm ci manually to install dependencies.'",
+  // Removed automatic npm start for security - manual startup required
+  // Removed automatic port visibility command - manual configuration required
+  
+  // Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+  "remoteUser": "node",
+
+  // Reduced resource requirements for security-focused lightweight setup
+  "hostRequirements": {
+    "memory": "8gb", 
+    "cpus": "2"
+  }
+}

.devcontainer/devcontainer.json

@@ -1,5 +1,8 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
 // https://github.com/microsoft/vscode-dev-containers/tree/v0.177.0/containers/javascript-node
+// 
+// SECURITY NOTE: This configuration has been hardened for security.
+// See .devcontainer/README.md for details on security improvements and available configurations.
 // -
 {
   "name": "docs.github.com",
@@ -10,9 +13,11 @@
   },
 
   // Install features. Type 'feature' in the VS Code command palette for a full list.
+  // Security hardened: removed SSH daemon, pinned GitHub CLI version
   "features": {
-    "sshd": "latest",
-    "ghcr.io/devcontainers/features/github-cli:1": {}
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "version": "2.40.1"
+    }
   },
 
   "customizations": {
@@ -21,7 +26,8 @@
       "settings": {
         "terminal.integrated.shell.linux": "/bin/bash",
         "cSpell.language": ",en",
-        "git.autofetch": true
+        // Security: disabled auto-fetch, manual git operations recommended
+        "git.autofetch": false
       },
       // Visual Studio Code extensions which help authoring for docs.github.com.
       "extensions": [
@@ -37,16 +43,9 @@
         "GitHub.copilot-chat"
       ]
     },
-    "codespaces": {
-      "repositories": {
-        // allow Codespaces to pull from separate repo when user has access
-        "github/docs-early-access": {
-          "permissions": {
-            "contents": "write"
-          }
-        }
-      }
-    }
+    // Security hardened: removed external repository permissions
+    // External repository access must be granted manually as needed
+    "codespaces": {}
   },
 
   // Use 'forwardPorts' to make a list of ports inside the container available locally.
@@ -58,11 +57,12 @@
     }
   },
 
-  // Lifecycle commands
+  // Security hardened lifecycle commands
+  // Reduced automatic command execution for enhanced security
   "onCreateCommand": "npm ci",
-  "postStartCommand": "nohup bash -c 'npm start &'",
-  // Set the port to be public
-  "postAttachCommand": "gh cs ports visibility 4000:public -c \"$CODESPACE_NAME\"",
+  "postStartCommand": "echo 'Container started. Run npm start manually when ready.'",
+  // Security: removed automatic port visibility command - manual configuration required
+  // "postAttachCommand": "gh cs ports visibility 4000:public -c \"$CODESPACE_NAME\"",
 
   // Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
   "remoteUser": "node",

.devcontainer/team-a-secure/devcontainer.json

@@ -0,0 +1,52 @@
+{
+  "name": "Team A Secure Codespace Config",
+  "build": {
+    "dockerfile": "../Dockerfile.hardened",
+    "args": { "VARIANT": "22" }
+  },
+
+  // Team A specific minimal features
+  "features": {
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "version": "2.40.1"
+    }
+  },
+
+  "customizations": {
+    "vscode": {
+      "settings": {
+        "terminal.integrated.shell.linux": "/bin/bash",
+        "cSpell.language": ",en",
+        "git.autofetch": false,
+        // Team A specific settings
+        "editor.formatOnSave": true,
+        "eslint.validate": ["javascript", "typescript", "markdown"]
+      },
+      // Team A minimal essential extensions
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "sissel.shopify-liquid",
+        "davidanson.vscode-markdownlint",
+        "bierner.markdown-preview-github-styles"
+      ]
+    }
+  },
+
+  "forwardPorts": [4000],
+  
+  "portsAttributes": {
+    "4000": {
+      "label": "Team A Review"
+    }
+  },
+
+  // Security-first approach - manual setup required
+  "onCreateCommand": "echo 'Team A secure container ready. Manual setup required for security.'",
+  
+  "remoteUser": "node",
+
+  "hostRequirements": {
+    "memory": "8gb",
+    "cpus": "2"
+  }
+}

.devcontainer/team-b-secure/devcontainer.json

@@ -0,0 +1,52 @@
+{
+  "name": "Team B Secure Codespace Config", 
+  "build": {
+    "dockerfile": "../Dockerfile.hardened",
+    "args": { "VARIANT": "22" }
+  },
+
+  // Team B specific minimal features - even more restrictive
+  "features": {
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "version": "2.40.1"
+    }
+  },
+
+  "customizations": {
+    "vscode": {
+      "settings": {
+        "terminal.integrated.shell.linux": "/bin/bash", 
+        "cSpell.language": ",en",
+        "git.autofetch": false,
+        // Team B ultra-secure settings
+        "editor.formatOnSave": false,
+        "git.confirmSync": true,
+        "security.workspace.trust.enabled": true
+      },
+      // Team B ultra-minimal extensions
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "davidanson.vscode-markdownlint"
+      ]
+    }
+  },
+
+  "forwardPorts": [4000],
+
+  "portsAttributes": {
+    "4000": {
+      "label": "Team B Review"
+    }
+  },
+
+  // Maximum security - no automatic commands
+  // All setup must be done manually
+  
+  "remoteUser": "node",
+
+  // Minimal resource allocation for security
+  "hostRequirements": {
+    "memory": "4gb",
+    "cpus": "2"
+  }
+}