This document outlines the security measures implemented in the EventCatalog MCP Server Docker container.

• Uses specific Node.js version: node:22.21.1-alpine3.21
• Prevents unexpected changes from automatic updates
• Ensures reproducible builds
• Alpine Linux reduces attack surface (smaller image size)

• Builder stage includes only build dependencies
• Production stage includes only runtime dependencies
• Reduces final image size from ~500MB to ~208MB
• Minimizes attack surface by excluding dev tools

• pnpm pinned to version 9.15.0
• All dependencies locked via pnpm-lock.yaml
• Prevents supply chain attacks from unexpected updates

• Container runs as user nodejs (UID 1001)
• User created with minimal privileges
• Prevents privilege escalation attacks
• Verified with: docker inspect --format='{{.Config.User}}' eventcatalog-mcp-server:latest

• All application files owned by nodejs:nodejs
• --chown flag used during COPY operations
• Prevents unauthorized file modifications

• Alpine packages updated during build: apk update && apk upgrade
• Ensures latest security patches are applied
• Old cache files removed to reduce image size

• npm cache cleaned: npm cache clean --force
• pnpm store pruned: pnpm store prune
• Temporary files removed: rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
• Reduces image size and attack surface

• --prod flag ensures only production dependencies
• --frozen-lockfile ensures deterministic installs
• --ignore-scripts prevents malicious install scripts

• --no-audit --no-fund flags reduce noise
• Dependencies vetted through lock file

• Only port 3000 exposed (configurable via PORT env var)
• No unnecessary ports exposed
• Health check endpoint available

• Built-in health check for HTTP mode
• Interval: 30s, Timeout: 10s, Start period: 5s
• Helps with orchestration and monitoring

• Excludes sensitive files (.env, .git)
• Excludes unnecessary files (tests, docs)
• Reduces build context size
• Prevents accidental secret leakage

• OCI standard labels for traceability
• Source repository information
• Maintainer information
• License information

• Node.js max old space size limited to 512MB
• Prevents memory exhaustion attacks
• Configurable via NODE_OPTIONS environment variable

• Application can run with read-only root filesystem
• All writes should go to mounted volumes
• No writes to container filesystem required

docker inspect eventcatalog-mcp-server:latest --format='{{.Config.User}}'
# Expected: nodejs

docker images eventcatalog-mcp-server:latest
# Expected: ~208MB

docker scout quickview eventcatalog-mcp-server:latest
# or
trivy image eventcatalog-mcp-server:latest

docker run --rm eventcatalog-mcp-server:latest id
# Expected: uid=1001(nodejs) gid=1001(nodejs)

Never hardcode secrets in the Dockerfile or commit them to version control.

docker run -d \
  -e EVENTCATALOG_URL="https://your-catalog.com" \
  -e EVENTCATALOG_SCALE_LICENSE_KEY="your-key" \
  eventcatalog-mcp-server:latest

echo "your-license-key" | docker secret create eventcatalog_license -
docker service create \
  --name eventcatalog-mcp-server \
  --secret eventcatalog_license \
  eventcatalog-mcp-server:latest

docker run -d \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --security-opt=no-new-privileges:true \
  eventcatalog-mcp-server:latest

docker run -d \
  --read-only \
  --tmpfs /tmp:noexec,nosuid,size=64M \
  eventcatalog-mcp-server:latest

docker network create --driver bridge isolated-network
docker run -d \
  --network isolated-network \
  eventcatalog-mcp-server:latest

docker run -d \
  --memory="512m" \
  --cpus="1.0" \
  --pids-limit=100 \
  eventcatalog-mcp-server:latest

# Using Docker Scout
docker scout cves eventcatalog-mcp-server:latest

# Using Trivy
trivy image eventcatalog-mcp-server:latest

# Using Grype
grype eventcatalog-mcp-server:latest

• Set up automated vulnerability scanning in CI/CD
• Rebuild images regularly with latest security patches
• Monitor security advisories for Node.js and dependencies
• Keep base image updated (alpine patches)

apiVersion: v1
kind: Pod
metadata:
  name: eventcatalog-mcp-server
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: mcp-server
    image: eventcatalog-mcp-server:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
    resources:
      limits:
        memory: "512Mi"
        cpu: "1000m"
      requests:
        memory: "256Mi"
        cpu: "500m"

This Docker image follows:

• ✅ CIS Docker Benchmark recommendations
• ✅ OWASP Docker Security Cheat Sheet
• ✅ NIST Container Security Guidelines
• ✅ OCI Image Format Specification
• ✅ Principle of Least Privilege
• ✅ Defense in Depth

If you discover a security vulnerability, please:

1. Do NOT open a public issue
2. Email security concerns to the maintainer
3. Include detailed information about the vulnerability
4. Allow time for patches before public disclosure

• Monitor this repository for security updates
• Subscribe to Node.js security announcements
• Check Alpine Linux security advisories
• Rebuild images when security patches are released

• Docker Security Best Practices
• CIS Docker Benchmark
• OWASP Container Security
• Node.js Security Best Practices