fix(security): address all Docker security audit findings

HIGH fixes:
- F10: Stop leaking secrets to child processes — safeSpawn now uses
  minimal env (PATH, HOME, LANG only) instead of full process.env
- F1: Pin Dockerfile base image to node:18.20-slim
- F2: Multi-stage build — builder stage for npm ci, clean runtime stage
- F9: Create docker-compose.yml with no-new-privileges, cap_drop ALL,
  read_only fs, tmpfs mounts, memory/PID limits
- F12: Lazy-init AWS Rekognition client with credential validation

MEDIUM fixes:
- F15: Add getSafeAxiosConfig to rekognition.js downloads
- F4: Change default tool paths from /root/ to /opt/ (non-root accessible)
- F25: Move JWT temp folder inside /app/temp/
- F26: Move ghunt results inside /app/temp/
- F23: Add 50MB output file size limit to safeSpawnToFile
- F17: Add Trivy image scanning to CI pipeline
- F18: Pin GitHub Actions to SHA commits
- F21: Tighten npm audit to --audit-level=moderate

LOW fixes:
- F8: Expand .dockerignore (admin scripts, CI configs, docs)
- F24: Add 1MB stderr buffer cap to safeSpawn/safeSpawnToFile
- F27: Add startup cleanup for orphaned temp files >24h old

45 tests passing, 0 lint errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: gl0bal01

.dockerignore

@@ -7,3 +7,13 @@ docs/
 *.md
 .eslintrc*
 .gitignore
+.github/
+eslint.config.js
+ghunt_results/
+*.test.js
+vitest.config.*
+CONTRIBUTING.md
+SECURITY.md
+REPOSITORY_SUMMARY.md
+CITATION.cff
+zenodo.json

.github/workflows/ci.yml

@@ -13,9 +13,9 @@ jobs:
       matrix:
         node-version: [18, 20, 22]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci
@@ -25,17 +25,23 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 18
       - run: npm ci
-      - run: npm audit --audit-level=high
+      - run: npm audit --audit-level=moderate
 
   docker:
     runs-on: ubuntu-latest
     needs: [test]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Build Docker image
         run: docker build -t discord-osint-assistant .
+      - name: Scan Docker image
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947e7f9de1e6e321aee # v0.29.0
+        with:
+          image-ref: discord-osint-assistant
+          severity: CRITICAL,HIGH
+          exit-code: 1

Dockerfile

@@ -1,14 +1,21 @@
-FROM node:18-slim
-
-# Create app directory
+# Pin to specific version for reproducible builds
+# Update periodically: docker pull node:18.20-slim
+FROM node:18.20-slim AS builder
 WORKDIR /app
-
-# Install only production dependencies (reproducible via lockfile)
 COPY package.json package-lock.json ./
 RUN npm ci --omit=dev
 
-# Copy application code
-COPY . .
+# Stage 2: Production runtime
+FROM node:18.20-slim
+RUN apt-get update && apt-get install -y --no-install-recommends procps && rm -rf /var/lib/apt/lists/*
+WORKDIR /app
+
+# Copy only what's needed
+COPY --from=builder /app/node_modules ./node_modules
+COPY package.json index.js deploy-commands.js clear-commands.js ./
+COPY commands/ ./commands/
+COPY utils/ ./utils/
+COPY addons/ ./addons/
 
 # Create temp directory
 RUN mkdir -p /app/temp
@@ -18,7 +25,6 @@ RUN groupadd -r botuser && useradd -r -g botuser botuser
 RUN chown -R botuser:botuser /app
 USER botuser
 
-# Health check: verify the main node process is running
 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
     CMD pgrep -f "node index.js" > /dev/null || exit 1
 

commands/ghunt.js

@@ -326,7 +326,7 @@ module.exports = {
         const userTag = interaction.user.tag || username;
 
         // Directory for results
-        const resultsDir = path.join(__dirname, '../ghunt_results');
+        const resultsDir = path.join(__dirname, '../temp/ghunt_results');
         if (!fs.existsSync(resultsDir)) {
             fs.mkdirSync(resultsDir, { recursive: true });
         }

commands/jwt.js

@@ -42,7 +42,7 @@ const crypto = require('crypto');
 // Configuration - adjust these paths according to your environment
 const CONFIG = {
     JWT_TOOL_PATH: process.env.JWT_TOOL_PATH || '/opt/tools/jwt_tool',
-    TEMP_FOLDER: process.env.JWT_TEMP_FOLDER || '/tmp/jwt_analysis',
+    TEMP_FOLDER: process.env.JWT_TEMP_FOLDER || path.join(__dirname, '..', 'temp', 'jwt_analysis'),
     DEFAULT_WORDLIST: process.env.JWT_WORDLIST || '/opt/rockyou.txt',
     COMMAND_TIMEOUT: parseInt(process.env.JWT_TIMEOUT) || 120000, // 2 minutes
     MAX_OUTPUT_SIZE: 10 * 1024 * 1024, // 10MB max output file size

commands/nuclei.js

@@ -163,7 +163,7 @@ module.exports = {
 
             // Construct Nuclei args array (no shell interpolation)
             const nucleiBinary = process.env.NUCLEI_PATH || 'nuclei';
-            const templatesPath = process.env.NUCLEI_TEMPLATE_PATH || '/root/nuclei-templates/http/osint/user-enumeration';
+            const templatesPath = process.env.NUCLEI_TEMPLATE_PATH || '/opt/nuclei-templates/http/osint/user-enumeration';
             const args = [
                 '-t', templatesPath,
                 '-tags', tagsList.join(','),

commands/rekognition.js

@@ -10,7 +10,7 @@
 
 const { SlashCommandBuilder, EmbedBuilder, AttachmentBuilder } = require('discord.js');
 const axios = require('axios');
-const { validateUrlNotInternal } = require('../utils/ssrf');
+const { validateUrlNotInternal, getSafeAxiosConfig } = require('../utils/ssrf');
 const { isValidUrl } = require('../utils/validation');
 const fs = require('fs');
 const path = require('path');
@@ -21,14 +21,24 @@ const { URL } = require('url');
 const { RekognitionClient, DetectLabelsCommand, DetectTextCommand, 
   DetectFacesCommand, DetectModerationLabelsCommand, 
   RecognizeCelebritiesCommand, CompareFacesCommand } = require('@aws-sdk/client-rekognition');
-// Initialize the AWS Rekognition client (v3)
-const rekognitionClient = new RekognitionClient({
-    region: process.env.AWS_REGION || 'us-east-1',
-    credentials: {
-        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
-        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+// Lazy-initialized AWS Rekognition client (v3)
+let _rekognitionClient = null;
+
+function getRekognitionClient() {
+    if (!_rekognitionClient) {
+        if (!process.env.AWS_ACCESS_KEY_ID || !process.env.AWS_SECRET_ACCESS_KEY) {
+            throw new Error('AWS credentials not configured. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.');
+        }
+        _rekognitionClient = new RekognitionClient({
+            region: process.env.AWS_REGION || 'us-east-1',
+            credentials: {
+                accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+                secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+            }
+        });
     }
-});
+    return _rekognitionClient;
+}
 
 module.exports = {
     data: new SlashCommandBuilder()
@@ -194,9 +204,10 @@ async function handleAnalyze(interaction, tempDir) {
 
             try {
                 // Download the attachment
-                const response = await axios.get(uploadedImage.url, { 
+                const response = await axios.get(uploadedImage.url, {
                     responseType: 'arraybuffer',
-                    timeout: 10000 // 10 second timeout
+                    timeout: 10000, // 10 second timeout
+                    ...getSafeAxiosConfig()
                 });
 
                 imageBuffer = Buffer.from(response.data);
@@ -439,9 +450,10 @@ async function handleCompare(interaction, tempDir) {
 
             try {
                 // Download the attachment
-                const response = await axios.get(sourceAttachment.url, { 
+                const response = await axios.get(sourceAttachment.url, {
                     responseType: 'arraybuffer',
-                    timeout: 10000
+                    timeout: 10000,
+                    ...getSafeAxiosConfig()
                 });
 
                 sourceImageBuffer = Buffer.from(response.data);
@@ -495,9 +507,10 @@ async function handleCompare(interaction, tempDir) {
 
             try {
                 // Download the attachment
-                const response = await axios.get(targetAttachment.url, { 
+                const response = await axios.get(targetAttachment.url, {
                     responseType: 'arraybuffer',
-                    timeout: 10000
+                    timeout: 10000,
+                    ...getSafeAxiosConfig()
                 });
 
                 targetImageBuffer = Buffer.from(response.data);
@@ -651,9 +664,10 @@ async function downloadImage(url, tempDir, prefix = '') {
         const filePath = path.join(tempDir, fileName);
 
         // Download the image
-        const response = await axios.get(url, { 
+        const response = await axios.get(url, {
             responseType: 'arraybuffer',
-            timeout: 10000 // 10 second timeout
+            timeout: 10000, // 10 second timeout
+            ...getSafeAxiosConfig()
         });
 
         // Check if the response is an image
@@ -720,7 +734,7 @@ async function detectLabels(imageBuffer) {
     };
 
     const command = new DetectLabelsCommand(params);
-    const response = await rekognitionClient.send(command);
+    const response = await getRekognitionClient().send(command);
     return response;
 }
 
@@ -737,7 +751,7 @@ async function detectText(imageBuffer) {
     };
 
     const command = new DetectTextCommand(params);
-    const response = await rekognitionClient.send(command);
+    const response = await getRekognitionClient().send(command);
     return response;
 }
 
@@ -755,7 +769,7 @@ async function detectFaces(imageBuffer) {
     };
 
     const command = new DetectFacesCommand(params);
-    const response = await rekognitionClient.send(command);
+    const response = await getRekognitionClient().send(command);
     return response;
 }
 
@@ -773,7 +787,7 @@ async function detectModerationLabels(imageBuffer) {
     };
 
     const command = new DetectModerationLabelsCommand(params);
-    const response = await rekognitionClient.send(command);
+    const response = await getRekognitionClient().send(command);
     return response;
 }
 
@@ -790,7 +804,7 @@ async function recognizeCelebrities(imageBuffer) {
     };
 
     const command = new RecognizeCelebritiesCommand(params);
-    const response = await rekognitionClient.send(command);
+    const response = await getRekognitionClient().send(command);
     return response;
 }
 
@@ -813,6 +827,6 @@ async function compareFaces(sourceImageBuffer, targetImageBuffer, similarityThre
     };
 
     const command = new CompareFacesCommand(params);
-    const response = await rekognitionClient.send(command);
+    const response = await getRekognitionClient().send(command);
     return response;
 }

commands/sherlock.js

@@ -25,7 +25,7 @@
  */
 
 const { SlashCommandBuilder, AttachmentBuilder } = require('discord.js');
-const { safeSpawnToFile } = require('../utils/process');
+const { safeSpawnToFile, getSafeEnv } = require('../utils/process');
 const fs = require('fs').promises;
 const path = require('path');
 const crypto = require('crypto');
@@ -142,7 +142,7 @@ async function executeSherlockScan(sherlockPath, username, outputFile, timeout,
 
     return safeSpawnToFile(sherlockPath, args, outputFile, {
         timeout: timeout * 1000,
-        env: { ...process.env, PYTHONUNBUFFERED: '1' }
+        env: { ...getSafeEnv(), PYTHONUNBUFFERED: '1' }
     });
 }
 

docker-compose.yml

@@ -0,0 +1,19 @@
+version: '3.8'
+
+services:
+  bot:
+    build: .
+    restart: unless-stopped
+    env_file:
+      - .env
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    read_only: true
+    tmpfs:
+      - /app/temp:size=100M,uid=999,gid=999
+      - /tmp:size=50M
+    mem_limit: 512m
+    memswap_limit: 512m
+    pids_limit: 50

index.js

@@ -22,6 +22,27 @@ const { checkRateLimit } = require('./utils/ratelimit');
 const { loadConfig } = require('./utils/config');
 const config = loadConfig();
 
+// Clean up orphaned temp files from previous runs
+const tempDir = path.join(__dirname, 'temp');
+if (fs.existsSync(tempDir)) {
+    const files = fs.readdirSync(tempDir);
+    const now = Date.now();
+    const maxAge = 24 * 60 * 60 * 1000; // 24 hours
+    for (const file of files) {
+        try {
+            const filePath = path.join(tempDir, file);
+            const stat = fs.statSync(filePath);
+            if (now - stat.mtimeMs > maxAge) {
+                if (stat.isDirectory()) {
+                    fs.rmSync(filePath, { recursive: true, force: true });
+                } else {
+                    fs.unlinkSync(filePath);
+                }
+            }
+        } catch { /* ignore cleanup errors */ }
+    }
+}
+
 // Initialize Discord client with required intents
 const client = new Client({ 
     intents: [