The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Summary of Changes

Hello @tac0turtle, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the project's security by introducing automated vulnerability scanning with Trivy and hardening several Docker containers to run with reduced privileges. These changes aim to proactively identify and mitigate security risks, ensuring a more robust and secure application environment.

Highlights

• Security Scanning: Integrated Trivy security scanning into the build process, allowing for both filesystem and Docker image vulnerability, misconfiguration, and secret scanning via new make trivy-scan targets.
• Container Security Hardening: Addressed the DS-0002 (HIGH) vulnerability by configuring the evm, testapp, and local-da Docker containers to run as a dedicated non-root ev-node user, enhancing security posture.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Claude finished @tac0turtle's task in 1m 17s —— View job

Code Review

• Gather context
• Read changed files
• Analyze code quality and security
• Post review feedback

Good security hardening PR overall. The non-root user changes are correct and consistent, and the Trivy scanning setup is clean. A few issues worth addressing:

Dockerfile Inconsistencies

apps/evm/Dockerfile and tools/local-da/Dockerfile — -D flag on adduser

Both Alpine Dockerfiles use adduser -D which suppresses home directory creation:

# apps/evm/Dockerfile:21
# tools/local-da/Dockerfile:23
RUN addgroup -g 1000 ev-node && \
    adduser -u 1000 -G ev-node -s /bin/sh -D ev-node

With -D, Alpine's adduser does not create /home/ev-node. The subsequent WORKDIR /home/ev-node creates the directory as root, and while the chown call fixes ownership, this differs from the reference apps/grpc/Dockerfile (which also uses -D but explicitly creates a subdirectory with mkdir -p before the chown). It works, but the -D flag is misleading given the intent. Either:

• Drop -D so adduser creates the home directory itself, or
• Keep -D and add an explicit comment explaining the pattern

The apps/testapp/Dockerfile (Debian-based) uses useradd -m which correctly creates the home directory. The Alpine images should be consistent with the grpc Dockerfile pattern.

Fix this →

apps/evm/Dockerfile — chown placement relative to COPY

# apps/evm/Dockerfile:25-28
COPY --from=build-env /src/apps/evm/evm /usr/bin/evm
COPY apps/evm/entrypoint.sh /usr/bin/entrypoint.sh
RUN chmod +x /usr/bin/entrypoint.sh && \
    chown -R ev-node:ev-node /home/ev-node

The chown /home/ev-node runs after the COPY commands but those copies target /usr/bin/, not /home/ev-node. The working directory /home/ev-node is empty at this point, so the chown is a no-op. Compare with tools/local-da/Dockerfile which has the same structure and apps/grpc/Dockerfile which uses mkdir -p /home/ev-node/.evgrpc && chown -R ev-node:ev-node /home/ev-node to ensure there's actually content to chown. This isn't a security issue since the USER ev-node directive is what matters, but the chown is unnecessary work.

scripts/security.mk — Using latest tag for Trivy

# scripts/security.mk:3
TRIVY_IMAGE := aquasec/trivy:latest

Pinning to latest is a reproducibility and supply-chain risk. Trivy releases are frequent, and a breaking change or unexpected behavior change could silently affect CI. Consider pinning to a specific version (e.g., aquasec/trivy:0.59.1) and documenting a process for bumping it. The severity variable is already overridable via ?=, which is good.

Fix this →

scripts/security.mk — Docker socket mount for image scanning

# scripts/security.mk:37
-v /var/run/docker.sock:/var/run/docker.sock \

Mounting the Docker socket gives the Trivy container full Docker daemon access (effectively root on the host). This is standard practice for Docker-in-Docker image scanning, but worth noting: if Trivy is ever run in a CI environment where the socket path differs (e.g., Podman, rootless Docker, or DinD setups), this will silently fail. Consider adding a check or a comment noting this requirement. The --rm flag is correctly set.

scripts/security.mk — Shell loop quoting

# scripts/security.mk:34-41
@for img in $(SCAN_IMAGES); do \
    echo "--> Scanning image: $$img"; \
    $(TRIVY_RUN) \
        -v /var/run/docker.sock:/var/run/docker.sock \
        $(TRIVY_IMAGE) \
        image --severity $(TRIVY_SEVERITY) \
        $$img; \
done

$$img is unquoted. If an image name contains spaces (unlikely but possible with custom values of SCAN_IMAGES), this would break. Quote it: "$$img". Minor, but it's a correctness issue.

Fix this →

Documentation

docs/guides/migrate-docker-nonroot.md — Well-written migration guide. The troubleshooting table is a nice touch. One note: the guide references ev.xyz/guides/migrate-docker-nonroot in CHANGELOG.md but doesn't verify the VitePress route is correctly configured.

docs/.vitepress/config.ts — Not shown in full context, but if the sidebar/nav entry for this guide wasn't added, the page will be unreachable from navigation. The file was listed as modified (+4/-0), so this appears to be addressed.

Summary

The core security objective (DS-0002 fix) is correctly implemented. The items above are refinements rather than blockers.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.16%. Comparing base (a16e4c9) to head (d4b15fc).

@@           Coverage Diff           @@
##             main    #3082   +/-   ##
=======================================
  Coverage   61.16%   61.16%           
=======================================
  Files         113      113           
  Lines       11444    11444           
=======================================
  Hits         7000     7000           
  Misses       3655     3655           
  Partials      789      789           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Good call to improve the Dockerfiles. The test fail due to RO volumes now.
init container: init evm-single: exit code 1: Error: error validating config: could not create directory "/root/.evm-single/config": mkdir /root/.evm-single: permission denied