From 9fcfb6b87007fd3932fdfc7bc72d5050f9a075e0 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Thu, 21 Aug 2025 13:21:16 -0300 Subject: [PATCH 1/8] (REFACTOR): Changed structure to allow multiple devcontainers inside `.devcontainer` (devcontainer): Added prebuilt devcontainers: auditor, minimal, legacy and legacy-minimal (actions): Added workflow to build and test devcontainers --- .devcontainer/auditor/Dockerfile | 91 +++++++++++++++ .devcontainer/auditor/devcontainer.json | 43 +++++++ .devcontainer/legacy-minimal/Dockerfile | 102 +++++++++++++++++ .../legacy-minimal/devcontainer.json | 91 +++++++++++++++ .../legacy-theredguild/Dockerfile | 12 +- .../devcontainer.json | 6 +- motd => .devcontainer/legacy-theredguild/motd | 0 .devcontainer/minimal/devcontainer.json | 40 +++++++ .github/workflows/main.yml | 105 ++++++++++++++++++ 9 files changed, 480 insertions(+), 10 deletions(-) create mode 100644 .devcontainer/auditor/Dockerfile create mode 100644 .devcontainer/auditor/devcontainer.json create mode 100644 .devcontainer/legacy-minimal/Dockerfile create mode 100644 .devcontainer/legacy-minimal/devcontainer.json rename Dockerfile => .devcontainer/legacy-theredguild/Dockerfile (95%) rename .devcontainer/{ => legacy-theredguild}/devcontainer.json (98%) rename motd => .devcontainer/legacy-theredguild/motd (100%) create mode 100644 .devcontainer/minimal/devcontainer.json create mode 100644 .github/workflows/main.yml diff --git a/.devcontainer/auditor/Dockerfile b/.devcontainer/auditor/Dockerfile new file mode 100644 index 0000000..14fcd22 --- /dev/null +++ b/.devcontainer/auditor/Dockerfile @@ -0,0 +1,91 @@ +# syntax=docker/dockerfile:1.10.0 +# check=error=true + +# Pull latest Echidna prebuilt image +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna AS echidna + +# Pull Debian 12 +FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm + +# Switch to root user +USER root + +# Super basic stuff to get everything started +RUN apt-get update -y && apt-get install -y \ + zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ + --no-install-recommends + +# The base container usually has a “vscode” user. If not, create one here. +RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Switch to vscode (drop privs) +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Set neded paths (for python, pnpm) +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} + +# Configure pip to allow system packages in container environment +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + +# Install uv package manager" +RUN python3 -m pip install --no-cache-dir --upgrade uv + +# Set the default shell to zsh +ENV SHELL=/usr/bin/zsh + +# Running everything under zsh +SHELL ["/usr/bin/zsh", "-ic"] + +# Install golang's latest version through asdf +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +## Install rust +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env + +USER root + +## Install nvm, yarn, npm, pnpm +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +RUN chown -R vscode:vscode ${HOME}/.npm +USER vscode + +# Install Foundry (Forge, Cast, Anvil) +RUN curl -L https://foundry.paradigm.xyz | zsh +RUN foundryup + +# Install slither, mythril, crytic-compile +RUN uv tool install slither-analyzer && \ + uv tool install mythril && \ + uv tool install crytic-compile + +# Install Hardhat +RUN pnpm install -g hardhat solhint + +# Copy prebuilt Echidna binary +COPY --chown=vscode:vscode --from=echidna /usr/local/bin/echidna ${HOME}/.local/bin/echidna +RUN chmod 755 ${HOME}/.local/bin/echidna + +# Switch to non-root user +USER vscode + +# Set up user environment +RUN echo 'export PATH="/usr/local/foundry/bin:$PATH"' >> /home/vscode/.zshrc + +USER root + +## Clean +RUN apt-get autoremove -y && apt-get clean -y + +USER vscode \ No newline at end of file diff --git a/.devcontainer/auditor/devcontainer.json b/.devcontainer/auditor/devcontainer.json new file mode 100644 index 0000000..d82201f --- /dev/null +++ b/.devcontainer/auditor/devcontainer.json @@ -0,0 +1,43 @@ +{ + "name": "Auditor", + "build": { + "dockerfile": "./Dockerfile" + }, + + "features": { + "ghcr.io/devcontainers/features/git:1": {}, + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/docker-in-docker:2.12.2": { + "version": "latest", + "enableNonRootDocker": "true" + } + }, + + "customizations": { + "vscode": { + "extensions": [ + "NomicFoundation.hardhat-solidity", + "tintinweb.solidity-visual-auditor", + "tintinweb.solidity-metrics", + "trailofbits.weaudit", + "eamodio.gitlens", + "streetsidesoftware.code-spell-checker", + "ms-vscode.vscode-json", + "tintinweb.chonky" + ], + "settings": { + "terminal.integrated.defaultProfile.linux": "bash", + "solidity-va.hover": true, + "solidity-va.diagnostics": true + } + } + }, + + "remoteUser": "vscode", + + "mounts": [ + "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached" + ], + + "workspaceFolder": "/workspace" +} \ No newline at end of file diff --git a/.devcontainer/legacy-minimal/Dockerfile b/.devcontainer/legacy-minimal/Dockerfile new file mode 100644 index 0000000..7a56c96 --- /dev/null +++ b/.devcontainer/legacy-minimal/Dockerfile @@ -0,0 +1,102 @@ +# syntax=docker/dockerfile:1.8 +# check=error=true + +## Multi-stage build! +# Pull latest prebuilt Echidna binary. +# TODO: "Ensure the base image uses a non latest version tag" +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna + +# Base debian build (latest). +FROM mcr.microsoft.com/vscode/devcontainers/base:debian + +# Switch to root (the default might be root anyway) +USER root + +# Super basic stuff to get everything started +RUN apt-get update -y && apt-get install -y \ + zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ + --no-install-recommends + +# The base container usually has a “vscode” user. If not, create one here. +RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Switch to vscode (drop privs) +USER vscode +WORKDIR /home/vscode + +# Set HOME and create quests folder +ENV HOME=/home/vscode +RUN mkdir -p ${HOME}/quests && chown vscode:vscode ${HOME}/quests + +# Set neded paths (for python, pix, pnpm) +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} + +# Configure pip to allow system packages in container environment +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + +# Install uv +RUN python3 -m pip install --no-cache-dir --upgrade uv + +# Set asdf manager version +ENV ASDF_VERSION=v0.15.0 + +# Set the default shell to zsh +ENV SHELL=/usr/bin/zsh + +# Running everything under zsh +SHELL ["/usr/bin/zsh", "-ic"] + + +# Install golang's latest version through asdf +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch ${ASDF_VERSION} && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +## Install rust +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env + +USER root +## Install nvm, yarn, npm, pnpm +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +USER vscode + +RUN pnpm install hardhat -g + +# Python installations +# Install vyper and solc-select +RUN uv tool install vyper && \ + uv tool install solc-select && \ + solc-select install 0.8.10 latest && \ + solc-select use latest + +## Foundry framework +RUN curl -fsSL https://foundry.paradigm.xyz | zsh +RUN foundryup + + +# Do some things as root +USER root + +## Add completions for medusa, anvil, cast, forge. +RUN mkdir -p /usr/share/zsh/site-functions && \ + for tool in anvil cast forge; do \ + "$tool" completions zsh > /usr/share/zsh/site-functions/_$tool; \ + done + +## Clean +RUN apt-get autoremove -y && apt-get clean -y + +## back to user! +USER vscode + +# Example HEALTHCHECK, we don't need once since we're not using services. If you add services in the future, you would need to add "something" like this: +HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 CMD \ + zsh -c 'command -v forge && command -v solc && echo "OK" || exit 1' \ No newline at end of file diff --git a/.devcontainer/legacy-minimal/devcontainer.json b/.devcontainer/legacy-minimal/devcontainer.json new file mode 100644 index 0000000..05af276 --- /dev/null +++ b/.devcontainer/legacy-minimal/devcontainer.json @@ -0,0 +1,91 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + "name": "Legacy TRG's Minimal DevContainer", + + // You can use image or directly use a Dockerfile or Docker Compose file. + // More info: https://containers.dev/guide/dockerfile + // https://github.com/devcontainers/images/tree/main/src/base-alpine + // "image": "mcr.microsoft.com/devcontainers/base:debian", + "build": { + "dockerfile": "./Dockerfile" + }, + + // In this case this is redundant, because we are using the default user. + //"remoteUser": "vscode", + + // Features to add to the dev container. More info: https://containers.dev/features. + "features": { + // "ghcr.io/devcontainers/features/docker-in-docker:2": { + // "version": "latest", + // "moby": true + // } + }, + + // Mount isolation. If you need to extract something from within the container, you can use docker cp, but use it at your own risk. If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. + // Disables mounting the host workspace into the container. + "workspaceMount": "type=tmpfs,destination=/workspace", + // Sets a workspace path entirely isolated within the container + "workspaceFolder": "/workspace", + "runArgs": [ + // Read only filesystem except for explicitly writable volumes (check mounts) + // For a dev environment this is more a hussle than a feature. + // "--read-only", + "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", + // Drop all capabilities + "--cap-drop=ALL", + + // A few security additions (AppArmor & no new privileges) + "--security-opt", "no-new-privileges", + "--security-opt", "apparmor:docker-default", + + // Use seccomp's default + // "--security-opt", "seccomp=default", + + // If you really want to isolate it, just disconnect it from the internet. You should COPY your working files inside before, otherwise you'll have to mount them manually. + // "--network=none", + "--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 + "--sysctl=net.ipv6.conf.default.disable_ipv6=1", + "--cap-drop=NET_RAW", // Disable raw packets + "--network=bridge", + "--dns=1.1.1.1", + "--dns=1.0.0.1", + + // Play a little bit with resources. + // "--memory=512m", + // "--cpus=2" + ], + + // Writable mounts in case you want to set --read-only above. + "mounts": [ + ], + + + // Configure tool-specific properties. + "customizations": { + // Configure properties specific to VS Code. + "vscode": { + "settings": { + // Killswitch for automated tasks + "task.autoDetect": "off", + "task.problemMatchers.autoDetect": "off", + // Trust no one by default + "security.workspace.trust.enabled": false, + // Killswitch for telemetry + "telemetry.telemetryLevel": "off", + // Use zsh by default. Using bash might be more safe and stable. + "terminal.integrated.defaultProfile.linux": "zsh", + "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } + }, + "extensions": [ + "NomicFoundation.hardhat-solidity", + "tintinweb.solidity-visual-auditor" + ] + } + } + // Use 'postCreateCommand' to run commands after the container is created. + // "postCreateCommand": "" + // Use 'postAttachCommand' to attach a command after the container is opened. + // "postAttachCommand": "zsh" + } \ No newline at end of file diff --git a/Dockerfile b/.devcontainer/legacy-theredguild/Dockerfile similarity index 95% rename from Dockerfile rename to .devcontainer/legacy-theredguild/Dockerfile index 63a7aed..a15aa4a 100644 --- a/Dockerfile +++ b/.devcontainer/legacy-theredguild/Dockerfile @@ -6,20 +6,15 @@ # TODO: "Ensure the base image uses a non latest version tag" FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna -# Grab at least python 3.12 -FROM python:3.12-slim as python-base - # Base debian build (latest). FROM mcr.microsoft.com/vscode/devcontainers/base:debian # Switch to root (the default might be root anyway) USER root -COPY --from=python-base /usr/local /usr/local - # Super basic stuff to get everything started RUN apt-get update -y && apt-get install -y \ - zsh python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ + zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ --no-install-recommends # The base container usually has a “vscode” user. If not, create one here. @@ -39,6 +34,9 @@ ENV LOCAL_BIN=${HOME}/.local/bin ENV PNPM_HOME=${HOME}/.local/share/pnpm ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} +# Configure pip to allow system packages in container environment +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + # Install uv RUN python3 -m pip install --no-cache-dir --upgrade uv @@ -164,4 +162,4 @@ USER vscode # Example HEALTHCHECK, we don't need once since we're not using services. If you add services in the future, you would need to add "something" like this: HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 CMD \ - zsh -c 'command -v echidna && command -v medusa && command -v slither && command -v solc && echo "OK" || exit 1' + zsh -c 'command -v echidna && command -v medusa && command -v slither && command -v solc && echo "OK" || exit 1' \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/legacy-theredguild/devcontainer.json similarity index 98% rename from .devcontainer/devcontainer.json rename to .devcontainer/legacy-theredguild/devcontainer.json index 7958b54..bece536 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/legacy-theredguild/devcontainer.json @@ -1,13 +1,13 @@ { // For format details, see https://aka.ms/devcontainer.json. - "name": "TRG's DevContainer", + "name": "Legacy TRG's DevContainer", // You can use image or directly use a Dockerfile or Docker Compose file. // More info: https://containers.dev/guide/dockerfile // https://github.com/devcontainers/images/tree/main/src/base-alpine // "image": "mcr.microsoft.com/devcontainers/base:debian", "build": { - "dockerfile": "../Dockerfile" + "dockerfile": "./Dockerfile" }, // In this case this is redundant, because we are using the default user. @@ -97,4 +97,4 @@ // "postCreateCommand": "" // Use 'postAttachCommand' to attach a command after the container is opened. // "postAttachCommand": "zsh" -} +} \ No newline at end of file diff --git a/motd b/.devcontainer/legacy-theredguild/motd similarity index 100% rename from motd rename to .devcontainer/legacy-theredguild/motd diff --git a/.devcontainer/minimal/devcontainer.json b/.devcontainer/minimal/devcontainer.json new file mode 100644 index 0000000..feea0d3 --- /dev/null +++ b/.devcontainer/minimal/devcontainer.json @@ -0,0 +1,40 @@ +{ + "name": "Minimal", + "image": "mcr.microsoft.com/devcontainers/javascript-node:1-20-bookworm", + + "features": { + "ghcr.io/devcontainers/features/git:1": {}, + "ghcr.io/devcontainers/features/github-cli:1": {} + }, + + "containerEnv": { + "SHELL": "/bin/bash", + "DEVCONTAINER_ID_LABEL": "minimal-web3-devcontainer" + }, + + "customizations": { + "vscode": { + "extensions": [ + "NomicFoundation.hardhat-solidity", + "ms-vscode.vscode-json", + "eamodio.gitlens" + ], + "settings": { + "terminal.integrated.defaultProfile.linux": "bash" + } + } + }, + + "forwardPorts": [3000, 8545], + + "initializeCommand": "echo 'Initializing minimal dev container...'", + + "postCreateCommand": "bash -c 'curl -L https://foundry.paradigm.xyz | bash && export PATH=\"$HOME/.foundry/bin:$PATH\" && foundryup && npm install -g hardhat && npm install @openzeppelin/contracts'", + + "postStartCommand": "echo '✅ Minimal container ready for enterprise development'", + + "remoteUser": "node", + + "workspaceFolder": "/workspace", + "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached" +} \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..beb8182 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,105 @@ +name: Prebuilt Dev Containers - Build & Smoke Test + +on: + push: + branches: [ main, develop ] + paths: + - '.devcontainer/**' + - '.github/workflows/main.yml' + pull_request: + paths: + - '.devcontainer/**' + - '.github/workflows/main.yml' + workflow_dispatch: + +jobs: + build-and-test: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + subFolder: + - .devcontainer/auditor + - .devcontainer/minimal + - .devcontainer/legacy-theredguild + - .devcontainer/legacy-minimal + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Determine if this devcontainer changed + id: changed + run: | + set -e + FOLDER="${{ matrix.subFolder }}" + if [ "${{ github.event_name }}" = "pull_request" ]; then + git fetch origin "${{ github.base_ref }}" --depth=1 + BASE=$(git merge-base FETCH_HEAD HEAD) + if git diff --name-only "$BASE" HEAD -- "$FOLDER/" | grep .; then + echo "changed=true" >> $GITHUB_OUTPUT + else + echo "changed=false" >> $GITHUB_OUTPUT + fi + else + BEFORE="${{ github.event.before }}" + if [ -n "$BEFORE" ]; then + if git diff --name-only "$BEFORE" "${{ github.sha }}" -- "$FOLDER/" | grep .; then + echo "changed=true" >> $GITHUB_OUTPUT + else + echo "changed=false" >> $GITHUB_OUTPUT + fi + else + # Fallback: if we cannot determine before SHA, run the test + echo "changed=true" >> $GITHUB_OUTPUT + fi + fi + + - name: No changes in this devcontainer — skipping + if: steps.changed.outputs.changed != 'true' + run: echo "No changes detected in ${{ matrix.subFolder }}; skipping build." + + - name: Check devcontainer config exists + id: check + if: steps.changed.outputs.changed == 'true' + run: | + if [ -f "${{ matrix.subFolder }}/devcontainer.json" ]; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + echo "Skipping: ${{ matrix.subFolder }}/devcontainer.json does not exist." + fi + + - name: Build and run devcontainer + if: steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: echo "Devcontainer OK in ${{ matrix.subFolder }}" && uname -a + push: never + + - name: Test Foundry functionality + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: | + echo "🧪 Testing Foundry installation and functionality..." + foundryup --version || echo "❌ Foundry not found" + forge --version || echo "❌ Forge not found" + cast --version || echo "❌ Cast not found" + anvil --version || echo "❌ Anvil not found" + echo "✅ Foundry tools verification completed" + push: never + + - name: Purge Docker cache and resources (on success) + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' + run: | + echo "Pruning Docker resources to free memory and disk..." + docker system prune -af --volumes || true + docker builder prune -af || true + docker system df || true From d415bd80e9719c89fbababa1faba7f393f01809b Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Thu, 21 Aug 2025 13:28:17 -0300 Subject: [PATCH 2/8] (README): updated README with new content --- README.md | 100 +++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 91 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 3a9518c..4b448b1 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,61 @@ install the most popular tools, so they can all work seamlessly, and at the same by default. If you want to know more, and really want to take advante of this devcontainer read below. -There's also a minimized version under the `minimal` branch. +## New DevContainer Wizard + +Check our tool to generate the recommended devcontainer configuration based on your needs: +- https://github.com/theredguild/devcontainer-wizard + +## Available Devcontainer Variants + +We now offer multiple devcontainer configurations to suit different needs: + +### **Auditor** (`.devcontainer/auditor/`) +**Best for**: Security researchers, auditors, and penetration testers +- **Focus**: Comprehensive security tooling and analysis +- **Includes**: All security tools, decompilers, static analysis, fuzzing tools +- **Extensions**: Security-focused VS Code extensions +- **Use case**: Deep security analysis, vulnerability research, comprehensive audits + +### **Minimal** (`.devcontainer/minimal/`) +**Best for**: Quick development, CI/CD, lightweight workflows +- **Focus**: Essential tools only, fast startup +- **Includes**: Foundry, Hardhat, basic Solidity support +- **Extensions**: Core development extensions only +- **Use case**: Quick prototyping, CI/CD pipelines, resource-constrained environments + +### **Legacy The Red Guild** (`.devcontainer/legacy-theredguild/`) +**Best for**: Users who need the full original experience +- **Focus**: Complete toolchain with all features +- **Includes**: Everything from the original devcontainer +- **Extensions**: Full extension suite +- **Use case**: Comprehensive development, learning, full-stack projects + +### **Legacy Minimal** (`.devcontainer/legacy-minimal/`) +**Best for**: Users who want the minimal version from the legacy branch +- **Focus**: Stripped-down version of the original +- **Includes**: Essential tools only +- **Extensions**: Basic extensions +- **Use case**: Lightweight development, legacy project support + +## New Structure + +The project has been refactored to support multiple devcontainer configurations: + +``` +.devcontainer/ +├── auditor/ # Security-focused devcontainer +├── minimal/ # Lightweight devcontainer +├── legacy-theredguild/ # Full-featured legacy devcontainer +└── legacy-minimal/ # Minimal legacy devcontainer +``` + +## Quick Start + +1. **Choose your variant** based on your needs (see above) +2. **Navigate to the variant directory**: `cd .devcontainer/[variant-name]` +3. **Open in VS Code**: `code .` +4. **Reopen in Container**: Select the appropriate devcontainer when prompted ## Requirements @@ -19,15 +73,19 @@ There's also a minimized version under the `minimal` branch. ## Kick-off -1. Start the docker service, and make sure your user is in the `docker` group. Otherwise, add +1. **Start the docker service**, and make sure your user is in the `docker` group. Otherwise, add yourself to it but you'll have to log in back again. -2. Clone this repo, if you want a minimal version checkout `minimal`. -3. Open the folder with **vscode** how you like. Running `code .` works well. -4. Select **Reopen in Container** and wait. This will build the container volume. -5. If this is your first time, you'll be prompted to press enter on a console log that triggers the -terminal. -6. If not you can go to the extensions section on your side, click the **Remote Explorer** tab and -select the active devcontainer. +2. **Clone this repo** and navigate to your preferred devcontainer variant: + ```bash + git clone + cd .devcontainer/[auditor|minimal|legacy-theredguild|legacy-minimal] + ``` +3. **Open the variant folder with VS Code**: Running `code .` works well. +4. **Select "Reopen in Container"** and wait. This will build the container volume. +5. **First time setup**: If this is your first time, you'll be prompted to press enter on a console log that triggers the terminal. +6. **Subsequent uses**: Go to the extensions section, click the **Remote Explorer** tab and select the active devcontainer. + +> **Pro Tip**: Each variant has its own configuration, so you can switch between them by opening different variant folders in VS Code. ## Usage @@ -40,6 +98,8 @@ can access several features: ## Features Overview +> **Note**: The features listed below are primarily for the **Legacy The Red Guild** variant. Each variant has its own tailored set of features. Check the specific variant's configuration for details. + ### Extensions - JuanBlanco.solidity @@ -268,6 +328,28 @@ Currently semgrep supports [Solidity](https://semgrep.dev/docs/language-support/ $ semgrep --config p/smart-contracts path/to/your/project ``` +## Contributing + +### Adding New Variants + +To add a new devcontainer variant: + +1. **Create a new directory** in `.devcontainer/` +2. **Add your configuration files**: + - `Dockerfile` (if custom build needed) + - `devcontainer.json` (required) + - Any additional configuration files +3. **Update the CI workflow** in `.github/workflows/main.yml` to include your variant +4. **Test locally** before submitting a PR +5. **Update this README** to document your new variant + +### Structure Guidelines + +- **Naming**: Use descriptive, lowercase names (e.g., `auditor`, `minimal`) +- **Configuration**: Keep variants focused on specific use cases +- **Documentation**: Document what each variant is best for +- **Testing**: Ensure your variant passes CI/CD checks + ## How to audit your Dockerfile ```bash From 353a022ed3fe1f8bf3dd22a8d07e9c93b1f62b3a Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Sat, 23 Aug 2025 18:50:37 -0300 Subject: [PATCH 3/8] feat: restructure devcontainer variants and add comprehensive documentation - Restructure devcontainer directory layout for better organization - Add new isolated and hardened variants for enhanced security options - Rename legacy-theredguild to legacy for clarity - Remove legacy-minimal variant (functionality moved to minimal) - Add comprehensive comments to all Dockerfile and devcontainer.json files - Update README.md with accurate variant descriptions and use cases New variants: - isolated: Maximum security isolation with read-only filesystem - hardened: Enhanced security with maintained network connectivity - auditor: Specialized audit environment with Docker-in-Docker - minimal: Essential tools with basic security hardening - legacy: Complete toolchain (original experience) Security improvements: - Capability dropping across all variants - Security options and hardening features - Resource limits and isolation mechanisms - Comprehensive documentation of security features This commit provides users with clear choices for different security requirements while maintaining the comprehensive tooling of the original devcontainer. --- .devcontainer/auditor/Dockerfile | 78 ++++++--- .devcontainer/auditor/devcontainer.json | 49 ++++-- .devcontainer/hardened/Dockerfile | 154 +++++++++++++++++ .devcontainer/hardened/devcontainer.json | 95 +++++++++++ .devcontainer/isolated/Dockerfile | 157 ++++++++++++++++++ .devcontainer/isolated/devcontainer.json | 117 +++++++++++++ .devcontainer/legacy-minimal/Dockerfile | 102 ------------ .../legacy-minimal/devcontainer.json | 91 ---------- .../{legacy-theredguild => legacy}/Dockerfile | 0 .../devcontainer.json | 0 .../{legacy-theredguild => legacy}/motd | 0 .devcontainer/minimal/Dockerfile | 145 ++++++++++++++++ .devcontainer/minimal/devcontainer.json | 151 +++++++++++++---- README.md | 71 ++++---- 14 files changed, 915 insertions(+), 295 deletions(-) create mode 100644 .devcontainer/hardened/Dockerfile create mode 100644 .devcontainer/hardened/devcontainer.json create mode 100644 .devcontainer/isolated/Dockerfile create mode 100644 .devcontainer/isolated/devcontainer.json delete mode 100644 .devcontainer/legacy-minimal/Dockerfile delete mode 100644 .devcontainer/legacy-minimal/devcontainer.json rename .devcontainer/{legacy-theredguild => legacy}/Dockerfile (100%) rename .devcontainer/{legacy-theredguild => legacy}/devcontainer.json (100%) rename .devcontainer/{legacy-theredguild => legacy}/motd (100%) create mode 100644 .devcontainer/minimal/Dockerfile diff --git a/.devcontainer/auditor/Dockerfile b/.devcontainer/auditor/Dockerfile index 14fcd22..4f1a6ba 100644 --- a/.devcontainer/auditor/Dockerfile +++ b/.devcontainer/auditor/Dockerfile @@ -1,47 +1,68 @@ # syntax=docker/dockerfile:1.10.0 # check=error=true - -# Pull latest Echidna prebuilt image +# +# AUDITOR TRG DevContainer Dockerfile +# This Dockerfile creates a specialized development environment for smart contract auditing +# with focused tooling, Docker-in-Docker support, and comprehensive security analysis tools. +# +# Key features: +# - Multi-stage build for Echidna binary +# - Specialized audit tools (slither, mythril, crytic-compile) +# - Foundry framework for testing and interaction +# - Hardhat for development workflows +# - Docker-in-Docker support for containerized tools + +# Pull latest Echidna prebuilt image from Crytic +# Echidna is a fuzzing tool for Ethereum smart contracts FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna AS echidna -# Pull Debian 12 +# Base image: Debian 12 (Bookworm) with VS Code DevContainer support +# This provides a stable, development-focused base for auditing work FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm -# Switch to root user +# Switch to root user temporarily for system package installation USER root -# Super basic stuff to get everything started +# Install essential system packages for development and auditing +# These packages provide the foundation for all development tools RUN apt-get update -y && apt-get install -y \ zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ --no-install-recommends -# The base container usually has a “vscode” user. If not, create one here. +# The base container usually has a "vscode" user. If not, create one here. +# This ensures consistent user setup across different base images RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers -# Switch to vscode (drop privs) +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user USER vscode WORKDIR /home/vscode ENV HOME=/home/vscode -# Set neded paths (for python, pnpm) +# Set needed paths for Python, pnpm, and other tools +# Configure environment variables for tool access and package management ENV USR_LOCAL_BIN=/usr/local/bin ENV LOCAL_BIN=${HOME}/.local/bin ENV PNPM_HOME=${HOME}/.local/share/pnpm ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} # Configure pip to allow system packages in container environment +# This is necessary for some tools that need system-level packages ENV PIP_BREAK_SYSTEM_PACKAGES=1 -# Install uv package manager" +# Install uv package manager - modern Python package manager +# Faster and more reliable than pip for tool installation RUN python3 -m pip install --no-cache-dir --upgrade uv -# Set the default shell to zsh +# Set the default shell to zsh for better development experience ENV SHELL=/usr/bin/zsh -# Running everything under zsh +# Running everything under zsh for consistency and features SHELL ["/usr/bin/zsh", "-ic"] -# Install golang's latest version through asdf +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Go is required for various Web3 tools and Foundry framework RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ @@ -51,41 +72,56 @@ RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 asdf install golang latest && \ asdf global golang latest -## Install rust +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env +# Switch to root user temporarily for Node.js installation USER root -## Install nvm, yarn, npm, pnpm +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development and Hardhat RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash RUN chown -R vscode:vscode ${HOME}/.npm + +# Switch back to vscode user for security USER vscode -# Install Foundry (Forge, Cast, Anvil) +# Install Foundry framework for Ethereum development and testing +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +# Essential for smart contract development and testing during audits RUN curl -L https://foundry.paradigm.xyz | zsh RUN foundryup -# Install slither, mythril, crytic-compile +# Install Python-based security analysis tools for auditing +# These tools provide comprehensive smart contract security analysis +# Focused on core auditing tools: slither, mythril, crytic-compile RUN uv tool install slither-analyzer && \ uv tool install mythril && \ uv tool install crytic-compile -# Install Hardhat +# Install Hardhat and Solhint for Ethereum development +# Hardhat is a popular development environment, Solhint provides linting RUN pnpm install -g hardhat solhint -# Copy prebuilt Echidna binary +# Copy prebuilt Echidna binary from echidna stage to final image +# This provides the prebuilt Echidna tool without rebuilding COPY --chown=vscode:vscode --from=echidna /usr/local/bin/echidna ${HOME}/.local/bin/echidna RUN chmod 755 ${HOME}/.local/bin/echidna -# Switch to non-root user +# Switch to non-root user for final setup USER vscode -# Set up user environment +# Set up user environment with Foundry path +# Ensure Foundry tools are available in the user's shell RUN echo 'export PATH="/usr/local/foundry/bin:$PATH"' >> /home/vscode/.zshrc +# Switch to root for system cleanup USER root -## Clean +# Clean up package cache and temporary files +# This reduces image size and improves security RUN apt-get autoremove -y && apt-get clean -y +# Final switch to vscode user for development USER vscode \ No newline at end of file diff --git a/.devcontainer/auditor/devcontainer.json b/.devcontainer/auditor/devcontainer.json index d82201f..8e74da2 100644 --- a/.devcontainer/auditor/devcontainer.json +++ b/.devcontainer/auditor/devcontainer.json @@ -1,43 +1,58 @@ { - "name": "Auditor", + // For format details, see https://aka.ms/devcontainer.json. + // This is the AUDITOR version of TRG's DevContainer - specialized for smart contract auditing + // with Docker-in-Docker support, specialized audit extensions, and focused tooling for + // comprehensive security analysis and code review. + "name": "Auditor TRG's DevContainer", + + // Build configuration - uses the local Dockerfile in this directory "build": { "dockerfile": "./Dockerfile" }, + // Features to add to the dev container. More info: https://containers.dev/features. + // Specialized features for auditing and development workflows "features": { - "ghcr.io/devcontainers/features/git:1": {}, - "ghcr.io/devcontainers/features/github-cli:1": {}, - "ghcr.io/devcontainers/features/docker-in-docker:2.12.2": { - "version": "latest", - "enableNonRootDocker": "true" + "ghcr.io/devcontainers/features/git:1": {}, // Git version control support + "ghcr.io/devcontainers/features/github-cli:1": {}, // GitHub CLI for repository management + "ghcr.io/devcontainers/features/docker-in-docker:2.12.2": { // Docker-in-Docker for containerized tools + "version": "latest", // Use latest stable version + "enableNonRootDocker": "true" // Enable non-root Docker for security } }, + // Configure tool-specific properties for VS Code "customizations": { "vscode": { + // Specialized extensions for smart contract auditing and development "extensions": [ - "NomicFoundation.hardhat-solidity", - "tintinweb.solidity-visual-auditor", - "tintinweb.solidity-metrics", - "trailofbits.weaudit", - "eamodio.gitlens", - "streetsidesoftware.code-spell-checker", - "ms-vscode.vscode-json", - "tintinweb.chonky" + "NomicFoundation.hardhat-solidity", // Hardhat Solidity support + "tintinweb.solidity-visual-auditor", // Visual auditor for Solidity contracts + "tintinweb.solidity-metrics", // Code metrics and analysis + "trailofbits.weaudit", // Trail of Bits audit tools + "eamodio.gitlens", // Enhanced Git integration + "streetsidesoftware.code-spell-checker", // Code spelling and grammar + "ms-vscode.vscode-json", // JSON language support + "tintinweb.chonky" // File explorer enhancements ], + // VS Code settings optimized for auditing workflows "settings": { - "terminal.integrated.defaultProfile.linux": "bash", - "solidity-va.hover": true, - "solidity-va.diagnostics": true + "terminal.integrated.defaultProfile.linux": "bash", // Use bash for compatibility + "solidity-va.hover": true, // Enable Solidity hover information + "solidity-va.diagnostics": true // Enable Solidity diagnostics } } }, + // Use vscode user for security (non-root execution) "remoteUser": "vscode", + // Mount configuration for workspace access + // Bind mount from host for persistent development "mounts": [ "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached" ], + // Workspace configuration - mounted from host "workspaceFolder": "/workspace" } \ No newline at end of file diff --git a/.devcontainer/hardened/Dockerfile b/.devcontainer/hardened/Dockerfile new file mode 100644 index 0000000..869b21a --- /dev/null +++ b/.devcontainer/hardened/Dockerfile @@ -0,0 +1,154 @@ +# syntax=docker/dockerfile:1.8 +# check=error=true +# +# HARDENED TRG DevContainer Dockerfile +# This Dockerfile creates a security-hardened development environment for Web3 security research +# with enhanced security features, capability dropping, and minimal attack surface. +# +# Key security features: +# - Multi-stage build for Echidna binary +# - Non-root user execution +# - Minimal package installation +# - Security-hardened toolchain +# - Reduced tool set for security focus + +## Multi-stage build for Echidna +# Pull latest prebuilt Echidna binary from Crytic's official image +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna + +# Base image: Debian 12 (Bookworm) with VS Code DevContainer support +# This provides a stable, security-focused base for development +FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm + +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} + +# Configure pip to allow system packages in container environment +# This is necessary for some tools that need system-level packages +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + +# Install uv package manager - modern Python package manager +# Faster and more reliable than pip for tool installation +RUN python3 -m pip install --no-cache-dir --upgrade uv + +# Set the default shell execution for subsequent RUN commands +# Use zsh for better shell features and compatibility +ENV SHELL=/usr/bin/zsh +SHELL ["/bin/zsh", "-ic"] + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +ENV PATH="$HOME/.cargo/bin:$PATH" + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Set asdf manager version for reproducibility +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Switch to root user temporarily for Node.js installation +# Some tools require root access for system-wide installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +RUN chown -R vscode:vscode ${HOME}/.npm + +# Switch back to vscode user for security +USER vscode +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${PNPM_HOME} + +# Install Foundry framework for Ethereum development +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +RUN curl -fsSL https://foundry.paradigm.xyz | zsh && \ + echo 'export PATH="$HOME/.foundry/bin:$PATH"' >> ~/.zshrc && \ + export PATH="$HOME/.foundry/bin:$PATH" && \ + ~/.foundry/bin/foundryup + +# Install Hardhat globally for Ethereum development framework +# Hardhat is a popular development environment for Ethereum +RUN pnpm install hardhat -g + +# Build and install Medusa fuzzing tool +# Medusa is a fuzzing tool for smart contracts, similar to Echidna +WORKDIR $HOME/medusa +RUN git clone https://github.com/crytic/medusa $HOME/medusa && \ + export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]+-gw+$//')" && \ + git checkout "$LATEST_TAG" && \ + go build -trimpath -o=$HOME/.local/bin/medusa -ldflags="-s -w" && \ + chmod 755 $HOME/.local/bin/medusa + +# Return to home directory and clean up build artifacts +WORKDIR $HOME +RUN rm -rf medusa/ + +# Install Python-based security analysis tools (reduced set for security focus) +# These tools provide essential smart contract security analysis +# Focused on core tools: slither, mythril, crytic-compile, halmos, solc-select +RUN uv tool install slither-analyzer && \ + uv tool install crytic-compile && \ + uv tool install slither-lsp && \ + uv tool install mythril && \ + uv tool install halmos && \ + uv tool install solc-select && \ + solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest + +# Copy Echidna binary from echidna stage to final image +# This provides the prebuilt Echidna tool without rebuilding +USER root +COPY --from=echidna /usr/local/bin/echidna /usr/local/bin/echidna +RUN chmod 755 /usr/local/bin/echidna + +# Final setup and verification +USER vscode +RUN echo 'Development environment ready!' && \ +echo 'Tools installed:' && \ + ls -la $HOME/.local/bin/ || true + +# Set working directory to workspace for development +WORKDIR /workspace \ No newline at end of file diff --git a/.devcontainer/hardened/devcontainer.json b/.devcontainer/hardened/devcontainer.json new file mode 100644 index 0000000..67d1b07 --- /dev/null +++ b/.devcontainer/hardened/devcontainer.json @@ -0,0 +1,95 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is the HARDENED version of TRG's DevContainer - provides enhanced security + // with capability dropping, security options, and resource limits while maintaining + // network connectivity for development. + "name": "Hardened TRG's DevContainer", + + // Build configuration - uses the local Dockerfile in this directory + "build": { + "dockerfile": "Dockerfile" + }, + + // Use vscode user for security (non-root execution) + "remoteUser": "vscode", + + // Features to add to the dev container. More info: https://containers.dev/features. + // Git and GitHub CLI features for version control and GitHub integration + "features": { + "ghcr.io/devcontainers/features/git:1": {}, + "ghcr.io/devcontainers/features/github-cli:1": {} + }, + + // Container environment variables + "containerEnv": { + "SHELL": "/bin/zsh", // Use zsh as the default shell + "DEVCONTAINER_ID_LABEL": "hardened-web3-devcontainer" // Label for container identification + }, + + // Configure tool-specific properties for VS Code + "customizations": { + "vscode": { + // Web3 security and development extensions + "extensions": [ + "tintinweb.ethereum-security-bundle", // Comprehensive Ethereum security tools + "tintinweb.vscode-ethover", // Ethereum hover information + "trailofbits.weaudit", // Trail of Bits audit tools + "tintinweb.vscode-inline-bookmarks", // Inline code bookmarks + "tintinweb.vscode-solidity-language", // Solidity language support + "tintinweb.graphviz-interactive-preview", // Graph visualization + "trailofbits.contract-explorer", // Smart contract exploration + "tintinweb.vscode-decompiler" // Contract decompilation + ], + // VS Code settings for security and functionality + "settings": { + "terminal.integrated.defaultProfile.linux": "zsh", // Default terminal shell + "terminal.integrated.profiles.linux": { + "zsh": { + "path": "/bin/zsh" + } + }, + "task.autoDetect": "off", // Disable automatic task detection for security + "task.allowAutomaticTasks": "off", // Prevent automatic task execution + "security.workspace.trust.enabled": false, // Disable workspace trust by default + "telemetry.telemetryLevel": "off" // Disable telemetry collection + } + } + }, + + // Commands to run during container lifecycle + "initializeCommand": "echo 'Initializing hardened dev container...'", + "postStartCommand": "echo '🚀 Dev container is ready for Web3 development!'", + + // Workspace configuration - mounted from host with caching + "workspaceFolder": "/workspace", + // Mount workspace from host with consistency caching for performance + "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached", + + // Docker run arguments for security hardening + "runArgs": [ + // Security hardening - drop all Linux capabilities + "--cap-drop=ALL", + + // Security options for container isolation + "--security-opt", + "no-new-privileges:true", // Prevent privilege escalation + "--security-opt", + "apparmor=docker-default", // Use Docker's default AppArmor profile + "--security-opt", + "seccomp=unconfined", // Disable seccomp for compatibility + + // DNS configuration for security and reliability + "--dns=1.1.1.1", // Use Cloudflare's secure DNS + "--dns=1.0.0.1", // Secondary DNS for redundancy + + // Temporary filesystem mounts with security restrictions + "--tmpfs", + "/tmp:rw,noexec,nosuid,size=512m", // Temporary directory with size limit + "--tmpfs", + "/var/tmp:rw,noexec,nosuid,size=512m", // System temp directory with size limit + + // Resource limits for container performance and security + "--memory=1024m", // Limit memory to 1GB + "--cpus=2" // Limit to 2 CPU cores + ] +} \ No newline at end of file diff --git a/.devcontainer/isolated/Dockerfile b/.devcontainer/isolated/Dockerfile new file mode 100644 index 0000000..d99fbb2 --- /dev/null +++ b/.devcontainer/isolated/Dockerfile @@ -0,0 +1,157 @@ +# syntax=docker/dockerfile:1.8 +# check=error=true +# +# ISOLATED TRG DevContainer Dockerfile +# This Dockerfile creates a highly isolated development environment for Web3 security research +# with maximum security isolation, read-only filesystem, and network isolation. +# +# Key security features: +# - Multi-stage build for Echidna binary +# - Non-root user execution +# - Minimal package installation +# - Security-hardened toolchain + +## Multi-stage build for Echidna +# Pull latest prebuilt Echidna binary from Crytic's official image +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna + +# Base image: Debian 12 (Bookworm) with VS Code DevContainer support +# This provides a stable, security-focused base for development +FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm + +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode +ENV HOME=/home/vscode + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} + +# Configure pip to allow system packages in container environment +# This is necessary for some tools that need system-level packages +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + +# Install uv package manager - modern Python package manager +# Faster and more reliable than pip for tool installation +RUN python3 -m pip install --no-cache-dir --upgrade uv + +# Set the default shell execution for subsequent RUN commands +# Use zsh for better shell features and compatibility +ENV SHELL=/usr/bin/zsh +SHELL ["/bin/zsh", "-ic"] + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +ENV PATH="$HOME/.cargo/bin:$PATH" + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Set asdf manager version for reproducibility +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Switch to root user temporarily for Node.js installation +# Some tools require root access for system-wide installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash +RUN chown -R vscode:vscode ${HOME}/.npm + +# Switch back to vscode user for security +USER vscode +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${PNPM_HOME} + +# Install Python-based security analysis tools +# These tools provide comprehensive smart contract security analysis +# Install slither, crytic-compile, solc, vyper, mythx, panoramix, slider-lsp (needed for contract explorer), napalm-toolbox. napalm-core has to be installed manually. +RUN uv tool install slither-analyzer && \ + uv tool install crytic-compile && \ + uv tool install vyper && \ + uv tool install panoramix-decompiler && \ + uv tool install slither-lsp && \ + uv tool install mythril && \ + uv tool install napalm-toolbox && \ + uv tool install semgrep && \ + uv tool install slitherin && \ + uv tool install solc-select && \ + solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest + +# Install Foundry framework for Ethereum development +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +RUN curl -fsSL https://foundry.paradigm.xyz | zsh && \ + echo 'export PATH="$HOME/.foundry/bin:$PATH"' >> ~/.zshrc && \ + export PATH="$HOME/.foundry/bin:$PATH" && \ + ~/.foundry/bin/foundryup + +# Install Hardhat globally for Ethereum development framework +# Hardhat is a popular development environment for Ethereum +RUN pnpm install hardhat -g + +# Build and install Medusa fuzzing tool +# Medusa is a fuzzing tool for smart contracts, similar to Echidna +WORKDIR $HOME/medusa +RUN git clone https://github.com/crytic/medusa $HOME/medusa && \ + export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]+-gw+$//')" && \ + git checkout "$LATEST_TAG" && \ + go build -trimpath -o=$HOME/.local/bin/medusa -ldflags="-s -w" && \ + chmod 755 $HOME/.local/bin/medusa + +# Return to home directory and clean up build artifacts +WORKDIR $HOME +RUN rm -rf medusa/ + +# Copy Echidna binary from echidna stage to final image +# This provides the prebuilt Echidna tool without rebuilding +USER root +COPY --from=echidna /usr/local/bin/echidna /usr/local/bin/echidna +RUN chmod 755 /usr/local/bin/echidna + +# Final setup and verification +USER vscode +RUN echo 'Development environment ready!' && \ +echo 'Tools installed:' && \ + ls -la $HOME/.local/bin/ || true + +# Set working directory to workspace for development +WORKDIR /workspace \ No newline at end of file diff --git a/.devcontainer/isolated/devcontainer.json b/.devcontainer/isolated/devcontainer.json new file mode 100644 index 0000000..220be9d --- /dev/null +++ b/.devcontainer/isolated/devcontainer.json @@ -0,0 +1,117 @@ +{ + // For format details, see https://aka.ms/devcontainer.json. + // This is the ISOLATED version of TRG's DevContainer - provides maximum security isolation + // with a read-only filesystem and network isolation for high-security Web3 development. + "name": "Isolated TRG's DevContainer", + + // Build configuration - uses the local Dockerfile in this directory + "build": { + "dockerfile": "Dockerfile" + }, + + // Use vscode user for security (non-root execution) + "remoteUser": "vscode", + + // Features to add to the dev container. More info: https://containers.dev/features. + // Git and GitHub CLI features for version control and GitHub integration + "features": { + "ghcr.io/devcontainers/features/git:1": {}, + "ghcr.io/devcontainers/features/github-cli:1": {} + }, + + // Container environment variables + "containerEnv": { + "SHELL": "/bin/zsh", // Use zsh as the default shell + "DEVCONTAINER_ID_LABEL": "isolated-web3-devcontainer" // Label for container identification + }, + + // Configure tool-specific properties for VS Code + "customizations": { + "vscode": { + // Web3 security and development extensions + "extensions": [ + "tintinweb.ethereum-security-bundle", // Comprehensive Ethereum security tools + "tintinweb.vscode-ethover", // Ethereum hover information + "trailofbits.weaudit", // Trail of Bits audit tools + "tintinweb.vscode-inline-bookmarks", // Inline code bookmarks + "tintinweb.vscode-solidity-language", // Solidity language support + "tintinweb.graphviz-interactive-preview", // Graph visualization + "trailofbits.contract-explorer", // Smart contract exploration + "tintinweb.vscode-decompiler" // Contract decompilation + ], + // VS Code settings for security and functionality + "settings": { + "terminal.integrated.defaultProfile.linux": "zsh", // Default terminal shell + "terminal.integrated.profiles.linux": { + "zsh": { + "path": "/bin/zsh" + } + }, + "task.autoDetect": "off", // Disable automatic task detection for security + "task.allowAutomaticTasks": "off", // Prevent automatic task execution + "security.workspace.trust.enabled": false, // Disable workspace trust by default + "telemetry.telemetryLevel": "off" // Disable telemetry collection + } + } + }, + + // Commands to run during container lifecycle + "initializeCommand": "echo 'Initializing isolated dev container...'", + "postStartCommand": "echo '🚀 Dev container is ready for Web3 development!'", + + // Workspace configuration - isolated within container + "workspaceFolder": "/workspace", + // Mount workspace as tmpfs for complete isolation - no host file access + "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777", + + // Docker run arguments for security and isolation + "runArgs": [ + // Security hardening - drop all Linux capabilities + "--cap-drop=ALL", + + // Read-only filesystem for maximum security + "--read-only", + + // Security options for container isolation + "--security-opt", + "no-new-privileges:true", // Prevent privilege escalation + "--security-opt", + "apparmor=docker-default", // Use Docker's default AppArmor profile + "--security-opt", + "seccomp=unconfined", // Disable seccomp for compatibility + + // Network isolation - completely disconnect from internet + "--network=none", + + // Essential writable tmpfs mounts for VS Code functionality + // These are required for VS Code Server to work properly + "--tmpfs", + "/home/vscode/.vscode-server:rw,noexec,nosuid,size=512m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.vscode-server-insiders:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.cache:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.config:rw,noexec,nosuid,size=128m,uid=1000,gid=1000", + "--tmpfs", + "/home/vscode/.local:rw,noexec,nosuid,size=256m,uid=1000,gid=1000", + + // System temporary directories with size limits + "--tmpfs", + "/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs", + "/var/tmp:rw,noexec,nosuid,size=512m", + "--tmpfs", + "/var/log:rw,noexec,nosuid,size=128m", + "--tmpfs", + "/run:rw,noexec,nosuid,size=128m", + + // Git configuration storage + "--tmpfs", + "/home/vscode/.gitconfig:rw,noexec,nosuid,size=1m,uid=1000,gid=1000", + + // Resource limits for container performance + "--memory=1g", // Limit memory to 1GB + "--cpus=2" // Limit to 2 CPU cores + ] +} \ No newline at end of file diff --git a/.devcontainer/legacy-minimal/Dockerfile b/.devcontainer/legacy-minimal/Dockerfile deleted file mode 100644 index 7a56c96..0000000 --- a/.devcontainer/legacy-minimal/Dockerfile +++ /dev/null @@ -1,102 +0,0 @@ -# syntax=docker/dockerfile:1.8 -# check=error=true - -## Multi-stage build! -# Pull latest prebuilt Echidna binary. -# TODO: "Ensure the base image uses a non latest version tag" -FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna - -# Base debian build (latest). -FROM mcr.microsoft.com/vscode/devcontainers/base:debian - -# Switch to root (the default might be root anyway) -USER root - -# Super basic stuff to get everything started -RUN apt-get update -y && apt-get install -y \ - zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ - --no-install-recommends - -# The base container usually has a “vscode” user. If not, create one here. -RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers - -# Switch to vscode (drop privs) -USER vscode -WORKDIR /home/vscode - -# Set HOME and create quests folder -ENV HOME=/home/vscode -RUN mkdir -p ${HOME}/quests && chown vscode:vscode ${HOME}/quests - -# Set neded paths (for python, pix, pnpm) -ENV USR_LOCAL_BIN=/usr/local/bin -ENV LOCAL_BIN=${HOME}/.local/bin -ENV PNPM_HOME=${HOME}/.local/share/pnpm -ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} - -# Configure pip to allow system packages in container environment -ENV PIP_BREAK_SYSTEM_PACKAGES=1 - -# Install uv -RUN python3 -m pip install --no-cache-dir --upgrade uv - -# Set asdf manager version -ENV ASDF_VERSION=v0.15.0 - -# Set the default shell to zsh -ENV SHELL=/usr/bin/zsh - -# Running everything under zsh -SHELL ["/usr/bin/zsh", "-ic"] - - -# Install golang's latest version through asdf -RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch ${ASDF_VERSION} && \ - echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ - echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ - echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ - . $HOME/.asdf/asdf.sh && \ - asdf plugin add golang && \ - asdf install golang latest && \ - asdf global golang latest - -## Install rust -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env - -USER root -## Install nvm, yarn, npm, pnpm -RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash -USER vscode - -RUN pnpm install hardhat -g - -# Python installations -# Install vyper and solc-select -RUN uv tool install vyper && \ - uv tool install solc-select && \ - solc-select install 0.8.10 latest && \ - solc-select use latest - -## Foundry framework -RUN curl -fsSL https://foundry.paradigm.xyz | zsh -RUN foundryup - - -# Do some things as root -USER root - -## Add completions for medusa, anvil, cast, forge. -RUN mkdir -p /usr/share/zsh/site-functions && \ - for tool in anvil cast forge; do \ - "$tool" completions zsh > /usr/share/zsh/site-functions/_$tool; \ - done - -## Clean -RUN apt-get autoremove -y && apt-get clean -y - -## back to user! -USER vscode - -# Example HEALTHCHECK, we don't need once since we're not using services. If you add services in the future, you would need to add "something" like this: -HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 CMD \ - zsh -c 'command -v forge && command -v solc && echo "OK" || exit 1' \ No newline at end of file diff --git a/.devcontainer/legacy-minimal/devcontainer.json b/.devcontainer/legacy-minimal/devcontainer.json deleted file mode 100644 index 05af276..0000000 --- a/.devcontainer/legacy-minimal/devcontainer.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - // For format details, see https://aka.ms/devcontainer.json. - "name": "Legacy TRG's Minimal DevContainer", - - // You can use image or directly use a Dockerfile or Docker Compose file. - // More info: https://containers.dev/guide/dockerfile - // https://github.com/devcontainers/images/tree/main/src/base-alpine - // "image": "mcr.microsoft.com/devcontainers/base:debian", - "build": { - "dockerfile": "./Dockerfile" - }, - - // In this case this is redundant, because we are using the default user. - //"remoteUser": "vscode", - - // Features to add to the dev container. More info: https://containers.dev/features. - "features": { - // "ghcr.io/devcontainers/features/docker-in-docker:2": { - // "version": "latest", - // "moby": true - // } - }, - - // Mount isolation. If you need to extract something from within the container, you can use docker cp, but use it at your own risk. If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. - // Disables mounting the host workspace into the container. - "workspaceMount": "type=tmpfs,destination=/workspace", - // Sets a workspace path entirely isolated within the container - "workspaceFolder": "/workspace", - "runArgs": [ - // Read only filesystem except for explicitly writable volumes (check mounts) - // For a dev environment this is more a hussle than a feature. - // "--read-only", - "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", - "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", - "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", - // Drop all capabilities - "--cap-drop=ALL", - - // A few security additions (AppArmor & no new privileges) - "--security-opt", "no-new-privileges", - "--security-opt", "apparmor:docker-default", - - // Use seccomp's default - // "--security-opt", "seccomp=default", - - // If you really want to isolate it, just disconnect it from the internet. You should COPY your working files inside before, otherwise you'll have to mount them manually. - // "--network=none", - "--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 - "--sysctl=net.ipv6.conf.default.disable_ipv6=1", - "--cap-drop=NET_RAW", // Disable raw packets - "--network=bridge", - "--dns=1.1.1.1", - "--dns=1.0.0.1", - - // Play a little bit with resources. - // "--memory=512m", - // "--cpus=2" - ], - - // Writable mounts in case you want to set --read-only above. - "mounts": [ - ], - - - // Configure tool-specific properties. - "customizations": { - // Configure properties specific to VS Code. - "vscode": { - "settings": { - // Killswitch for automated tasks - "task.autoDetect": "off", - "task.problemMatchers.autoDetect": "off", - // Trust no one by default - "security.workspace.trust.enabled": false, - // Killswitch for telemetry - "telemetry.telemetryLevel": "off", - // Use zsh by default. Using bash might be more safe and stable. - "terminal.integrated.defaultProfile.linux": "zsh", - "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } - }, - "extensions": [ - "NomicFoundation.hardhat-solidity", - "tintinweb.solidity-visual-auditor" - ] - } - } - // Use 'postCreateCommand' to run commands after the container is created. - // "postCreateCommand": "" - // Use 'postAttachCommand' to attach a command after the container is opened. - // "postAttachCommand": "zsh" - } \ No newline at end of file diff --git a/.devcontainer/legacy-theredguild/Dockerfile b/.devcontainer/legacy/Dockerfile similarity index 100% rename from .devcontainer/legacy-theredguild/Dockerfile rename to .devcontainer/legacy/Dockerfile diff --git a/.devcontainer/legacy-theredguild/devcontainer.json b/.devcontainer/legacy/devcontainer.json similarity index 100% rename from .devcontainer/legacy-theredguild/devcontainer.json rename to .devcontainer/legacy/devcontainer.json diff --git a/.devcontainer/legacy-theredguild/motd b/.devcontainer/legacy/motd similarity index 100% rename from .devcontainer/legacy-theredguild/motd rename to .devcontainer/legacy/motd diff --git a/.devcontainer/minimal/Dockerfile b/.devcontainer/minimal/Dockerfile new file mode 100644 index 0000000..72e0b91 --- /dev/null +++ b/.devcontainer/minimal/Dockerfile @@ -0,0 +1,145 @@ +# syntax=docker/dockerfile:1.8 +# check=error=true +# +# MINIMAL TRG DevContainer Dockerfile +# This Dockerfile creates a minimal development environment for Web3 development +# with essential tools, basic security features, and a streamlined toolchain. +# +# Key features: +# - Multi-stage build for Echidna binary +# - Essential development tools only +# - Basic security hardening +# - Minimal attack surface +# - Focused on core Web3 development needs + +## Multi-stage build for Echidna +# Pull latest prebuilt Echidna binary from Crytic's official image +# TODO: "Ensure the base image uses a non latest version tag" +# Echidna is a fuzzing tool for Ethereum smart contracts +FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna + +# Base debian build (latest). +# Use Debian base image for stability and compatibility +FROM mcr.microsoft.com/vscode/devcontainers/base:debian + +# Switch to root (the default might be root anyway) +# Root access is needed for system package installation +USER root + +# Super basic stuff to get everything started +# Install minimal set of essential packages for development +RUN apt-get update -y && apt-get install -y \ + zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ + --no-install-recommends + +# The base container usually has a "vscode" user. If not, create one here. +# This ensures consistent user setup across different base images +RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Switch to vscode user for security (drop privileges) +# This ensures all subsequent operations run as non-root user +USER vscode +WORKDIR /home/vscode + +# Set HOME and create quests folder +# Configure user environment and create development workspace +ENV HOME=/home/vscode +RUN mkdir -p ${HOME}/quests && chown vscode:vscode ${HOME}/quests + +# Set needed paths for Python, pix, pnpm +# Configure environment variables for tool access and package management +ENV USR_LOCAL_BIN=/usr/local/bin +ENV LOCAL_BIN=${HOME}/.local/bin +ENV PNPM_HOME=${HOME}/.local/share/pnpm +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} + +# Configure pip to allow system packages in container environment +# This is necessary for some tools that need system-level packages +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + +# Install uv package manager +# uv is a modern Python package manager, faster and more reliable than pip +RUN python3 -m pip install --no-cache-dir --upgrade uv + +# Set asdf manager version for reproducibility +# asdf provides consistent version management across different tools +ENV ASDF_VERSION=v0.15.0 + +# Set the default shell to zsh +# zsh provides better shell features and development experience +ENV SHELL=/usr/bin/zsh + +# Running everything under zsh for consistency and features +SHELL ["/usr/bin/zsh", "-ic"] + +# Install Go programming language through asdf version manager +# asdf provides consistent version management across different tools +# Go is required for various Web3 tools and Foundry framework +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch ${ASDF_VERSION} && \ + echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ + echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ + echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ + . $HOME/.asdf/asdf.sh && \ + asdf plugin add golang && \ + asdf install golang latest && \ + asdf global golang latest + +# Install Rust programming language +# Required for various Web3 security tools and Foundry framework +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env + +# Switch to root user temporarily for Node.js installation +# Some tools require root access for system-wide installation +USER root + +# Install Node.js, npm, yarn, and pnpm through devcontainer features +# These are essential for JavaScript/TypeScript Web3 development +RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | bash + +# Switch back to vscode user for security +USER vscode + +# Install Hardhat globally for Ethereum development framework +# Hardhat is a popular development environment for Ethereum +RUN pnpm install hardhat -g + +# Python installations - minimal set for essential development +# Install only the core tools needed for basic Web3 development +# Install vyper and solc-select for smart contract development +RUN uv tool install vyper && \ + uv tool install solc-select && \ + solc-select install 0.8.10 latest && \ + solc-select use latest + +# Install Foundry framework for Ethereum development +# Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain) +## Foundry framework +RUN curl -fsSL https://foundry.paradigm.xyz | zsh +RUN foundryup + +# Switch to root user for system-level operations +# Do some things as root for system configuration +USER root + +# Add shell completions for Foundry tools +# This provides better user experience with tab completion +## Add completions for medusa, anvil, cast, forge. +RUN mkdir -p /usr/share/zsh/site-functions && \ + for tool in anvil cast forge; do \ + "$tool" completions zsh > /usr/share/zsh/site-functions/_$tool; \ + done + +# Clean up package cache and temporary files +# This reduces image size and improves security +## Clean +RUN apt-get autoremove -y && apt-get clean -y + +# Switch back to vscode user for development +## back to user! +USER vscode + +# Health check for container monitoring +# Example HEALTHCHECK, we don't need once since we're not using services. +# If you add services in the future, you would need to add "something" like this: +HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 CMD \ + zsh -c 'command -v forge && command -v solc && echo "OK" || exit 1' \ No newline at end of file diff --git a/.devcontainer/minimal/devcontainer.json b/.devcontainer/minimal/devcontainer.json index feea0d3..d84d413 100644 --- a/.devcontainer/minimal/devcontainer.json +++ b/.devcontainer/minimal/devcontainer.json @@ -1,40 +1,121 @@ { - "name": "Minimal", - "image": "mcr.microsoft.com/devcontainers/javascript-node:1-20-bookworm", - + // For format details, see https://aka.ms/devcontainer.json. + // This is the MINIMAL version of TRG's DevContainer - provides essential security isolation + // with a balanced approach between security and usability for Web3 development. + "name": "Minimal TRG's DevContainer", + + // You can use image or directly use a Dockerfile or Docker Compose file. + // More info: https://containers.dev/guide/dockerfile + // https://github.com/devcontainers/images/tree/main/src/base-alpine + // "image": "mcr.microsoft.com/devcontainers/base:debian", + "build": { + "dockerfile": "./Dockerfile" + }, + + // In this case this is redundant, because we are using the default user. + // The vscode user is the default in VS Code DevContainers + //"remoteUser": "vscode", + + // Features to add to the dev container. More info: https://containers.dev/features. + // Currently no additional features are enabled for minimal configuration "features": { - "ghcr.io/devcontainers/features/git:1": {}, - "ghcr.io/devcontainers/features/github-cli:1": {} + // "ghcr.io/devcontainers/features/docker-in-docker:2": { + // "version": "latest", + // "moby": true + // } }, + + // Mount isolation configuration for security and development workflow + // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. + // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist. + // Disables mounting the host workspace into the container for isolation. + "workspaceMount": "type=tmpfs,destination=/workspace", + // Sets a workspace path entirely isolated within the container + "workspaceFolder": "/workspace", - "containerEnv": { - "SHELL": "/bin/bash", - "DEVCONTAINER_ID_LABEL": "minimal-web3-devcontainer" - }, - + // Docker run arguments for security hardening and resource management + "runArgs": [ + // Read only filesystem except for explicitly writable volumes (check mounts) + // For a dev environment this is more a hussle than a feature. + // "--read-only", + + // Temporary filesystem mounts with security restrictions + // These provide isolated, size-limited temporary storage + "--tmpfs=/tmp:rw,noexec,nosuid,size=512m", // Main temporary directory + "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m", // System temporary directory + "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m", // Shared memory directory + + // Security hardening - drop all Linux capabilities + // This reduces the attack surface by removing unnecessary privileges + "--cap-drop=ALL", + + // Security options for container isolation + // A few security additions (AppArmor & no new privileges) + "--security-opt", "no-new-privileges", // Prevent privilege escalation + "--security-opt", "apparmor:docker-default", // Use Docker's default AppArmor profile + + // Use seccomp's default security profile + // seccomp provides system call filtering for additional security + // "--security-opt", "seccomp=default", + + // Network security configuration + // If you really want to isolate it, just disconnect it from the internet. + // You should COPY your working files inside before, otherwise you'll have to mount them manually. + // "--network=none", + + // IPv6 security - disable IPv6 to reduce attack surface + "--sysctl=net.ipv6.conf.all.disable_ipv6=1", // Disable IPv6 globally + "--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default + + // Network capability restrictions + "--cap-drop=NET_RAW", // Disable raw packet access + "--network=bridge", // Use bridge networking + + // DNS configuration for security and reliability + "--dns=1.1.1.1", // Primary DNS (Cloudflare) + "--dns=1.0.0.1", // Secondary DNS (Cloudflare) + + // Resource limits for container performance and security + // Play a little bit with resources to prevent resource exhaustion + // "--memory=512m", // Memory limit (commented out) + // "--cpus=2" // CPU limit (commented out) + ], + + // Writable mounts in case you want to set --read-only above. + // Currently no additional mounts are configured + "mounts": [ + ], + + + // Configure tool-specific properties for VS Code "customizations": { - "vscode": { - "extensions": [ - "NomicFoundation.hardhat-solidity", - "ms-vscode.vscode-json", - "eamodio.gitlens" - ], - "settings": { - "terminal.integrated.defaultProfile.linux": "bash" - } - } - }, - - "forwardPorts": [3000, 8545], - - "initializeCommand": "echo 'Initializing minimal dev container...'", - - "postCreateCommand": "bash -c 'curl -L https://foundry.paradigm.xyz | bash && export PATH=\"$HOME/.foundry/bin:$PATH\" && foundryup && npm install -g hardhat && npm install @openzeppelin/contracts'", - - "postStartCommand": "echo '✅ Minimal container ready for enterprise development'", - - "remoteUser": "node", - - "workspaceFolder": "/workspace", - "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached" -} \ No newline at end of file + // Configure properties specific to VS Code. + "vscode": { + "settings": { + // Security settings - killswitch for automated tasks + "task.autoDetect": "off", // Disable automatic task detection + "task.problemMatchers.autoDetect": "off", // Disable automatic problem matchers + + // Trust and security configuration + "security.workspace.trust.enabled": false, // Trust no one by default + + // Privacy settings - killswitch for telemetry + "telemetry.telemetryLevel": "off", // Disable all telemetry collection + + // Terminal configuration + "terminal.integrated.defaultProfile.linux": "zsh", // Use zsh by default + "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } } + // Using bash might be more safe and stable, but zsh provides better features + }, + "extensions": [ + // Minimal set of essential extensions for Web3 development + "NomicFoundation.hardhat-solidity", // Hardhat Solidity support + "tintinweb.solidity-visual-auditor" // Solidity visual auditor + ] + } + } + // Use 'postCreateCommand' to run commands after the container is created. + // "postCreateCommand": "" + // Use 'postAttachCommand' to attach a command after the container is opened. + // "postAttachCommand": "zsh" + } \ No newline at end of file diff --git a/README.md b/README.md index 4b448b1..ed94a4a 100644 --- a/README.md +++ b/README.md @@ -16,46 +16,59 @@ Check our tool to generate the recommended devcontainer configuration based on y ## Available Devcontainer Variants -We now offer multiple devcontainer configurations to suit different needs: +We now offer multiple devcontainer configurations to suit different security and development needs: + +### **Isolated** (`.devcontainer/isolated/`) +**Best for**: Maximum security isolation, air-gapped environments +- **Focus**: Complete isolation with read-only filesystem and network isolation +- **Includes**: All security tools, fuzzing tools (Echidna, Medusa), static analysis +- **Security**: Read-only filesystem, network isolation, capability dropping, tmpfs mounts +- **Extensions**: Comprehensive Ethereum security bundle, audit tools, decompilers +- **Use case**: High-security research, compliance requirements, isolated analysis + +### **Hardened** (`.devcontainer/hardened/`) +**Best for**: Enhanced security with development flexibility +- **Focus**: Security hardening with maintained network connectivity +- **Includes**: Core security tools, Foundry, Hardhat, reduced tool set for security focus +- **Security**: Capability dropping, security options, resource limits, DNS hardening +- **Extensions**: Essential security extensions, development tools +- **Use case**: Secure development, security-focused research, balanced security/functionality ### **Auditor** (`.devcontainer/auditor/`) -**Best for**: Security researchers, auditors, and penetration testers -- **Focus**: Comprehensive security tooling and analysis -- **Includes**: All security tools, decompilers, static analysis, fuzzing tools -- **Extensions**: Security-focused VS Code extensions -- **Use case**: Deep security analysis, vulnerability research, comprehensive audits +**Best for**: Smart contract auditors and security researchers +- **Focus**: Specialized audit tooling and Docker-in-Docker support +- **Includes**: Slither, Mythril, Crytic-compile, Foundry, Hardhat, Echidna +- **Features**: Docker-in-Docker, specialized audit extensions, focused toolchain +- **Extensions**: Solidity visual auditor, metrics, audit tools, GitLens +- **Use case**: Comprehensive smart contract audits, security analysis, research workflows ### **Minimal** (`.devcontainer/minimal/`) -**Best for**: Quick development, CI/CD, lightweight workflows -- **Focus**: Essential tools only, fast startup -- **Includes**: Foundry, Hardhat, basic Solidity support +**Best for**: Essential development with basic security +- **Focus**: Core tools only, streamlined development environment +- **Includes**: Foundry, Hardhat, basic Solidity support, essential Python tools +- **Security**: Basic hardening, capability dropping, IPv6 disabled - **Extensions**: Core development extensions only -- **Use case**: Quick prototyping, CI/CD pipelines, resource-constrained environments +- **Use case**: Quick prototyping, learning, basic development, resource-constrained environments -### **Legacy The Red Guild** (`.devcontainer/legacy-theredguild/`) -**Best for**: Users who need the full original experience -- **Focus**: Complete toolchain with all features -- **Includes**: Everything from the original devcontainer -- **Extensions**: Full extension suite -- **Use case**: Comprehensive development, learning, full-stack projects +### **Legacy** (`.devcontainer/legacy/`) +**Best for**: Complete toolchain with all features (original experience) +- **Focus**: Full-featured development environment with comprehensive security tools +- **Includes**: Complete tool suite, all security tools, fuzzing tools, analysis tools +- **Security**: Comprehensive hardening, isolation features, security options +- **Extensions**: Full extension suite, all security and development tools +- **Use case**: Comprehensive development, learning, full-stack projects, research -### **Legacy Minimal** (`.devcontainer/legacy-minimal/`) -**Best for**: Users who want the minimal version from the legacy branch -- **Focus**: Stripped-down version of the original -- **Includes**: Essential tools only -- **Extensions**: Basic extensions -- **Use case**: Lightweight development, legacy project support +## Project Structure -## New Structure - -The project has been refactored to support multiple devcontainer configurations: +The project supports multiple devcontainer configurations for different use cases: ``` .devcontainer/ -├── auditor/ # Security-focused devcontainer -├── minimal/ # Lightweight devcontainer -├── legacy-theredguild/ # Full-featured legacy devcontainer -└── legacy-minimal/ # Minimal legacy devcontainer +├── isolated/ # Maximum security isolation +├── hardened/ # Enhanced security with flexibility +├── auditor/ # Specialized audit environment +├── minimal/ # Essential tools only +└── legacy/ # Complete toolchain (original) ``` ## Quick Start From 92e30445fdf52c1223266c3e27109daffdd6b713 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Sat, 23 Aug 2025 18:51:20 -0300 Subject: [PATCH 4/8] (readme): removed wizard link --- README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/README.md b/README.md index ed94a4a..afa242c 100644 --- a/README.md +++ b/README.md @@ -9,11 +9,6 @@ install the most popular tools, so they can all work seamlessly, and at the same by default. If you want to know more, and really want to take advante of this devcontainer read below. -## New DevContainer Wizard - -Check our tool to generate the recommended devcontainer configuration based on your needs: -- https://github.com/theredguild/devcontainer-wizard - ## Available Devcontainer Variants We now offer multiple devcontainer configurations to suit different security and development needs: From 8db414b4d9a1247450502381460050ac75d89f08 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Mon, 25 Aug 2025 22:09:11 -0300 Subject: [PATCH 5/8] feat: replace asdf with uv for python management This commit modernizes the Python development environment by replacing asdf with uv for Python version and package management. This change simplifies the Dockerfiles and provides a faster, more efficient development workflow. Key changes: - Replaced asdf with uv for Python installation and management across all devcontainer variants. - Updated Dockerfiles to use a multi-stage installation process for system and Python dependencies, improving clarity and maintainability. - Installed Python 3.12 using uv in all devcontainer variants. - Updated the README.md to remove asdf instructions for Python and added a comprehensive guide for using uv. - Updated the GitHub Actions workflow to reflect the devcontainer changes. --- .devcontainer/auditor/Dockerfile | 54 +++++++++++++-------- .devcontainer/hardened/Dockerfile | 21 +++++---- .devcontainer/isolated/Dockerfile | 31 ++++++------ .devcontainer/minimal/Dockerfile | 64 ++++++++++++++----------- .github/workflows/main.yml | 4 +- README.md | 78 +++++++++++++++++++++++++++++-- 6 files changed, 171 insertions(+), 81 deletions(-) diff --git a/.devcontainer/auditor/Dockerfile b/.devcontainer/auditor/Dockerfile index 4f1a6ba..f7c865b 100644 --- a/.devcontainer/auditor/Dockerfile +++ b/.devcontainer/auditor/Dockerfile @@ -23,15 +23,32 @@ FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm # Switch to root user temporarily for system package installation USER root -# Install essential system packages for development and auditing -# These packages provide the foundation for all development tools -RUN apt-get update -y && apt-get install -y \ - zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ - --no-install-recommends - -# The base container usually has a "vscode" user. If not, create one here. -# This ensures consistent user setup across different base images -RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + + + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* # Switch to vscode user for security (drop privileges) # This ensures all subsequent operations run as non-root user @@ -39,20 +56,19 @@ USER vscode WORKDIR /home/vscode ENV HOME=/home/vscode -# Set needed paths for Python, pnpm, and other tools -# Configure environment variables for tool access and package management +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin ENV USR_LOCAL_BIN=/usr/local/bin ENV LOCAL_BIN=${HOME}/.local/bin ENV PNPM_HOME=${HOME}/.local/share/pnpm -ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} - -# Configure pip to allow system packages in container environment -# This is necessary for some tools that need system-level packages -ENV PIP_BREAK_SYSTEM_PACKAGES=1 +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} -# Install uv package manager - modern Python package manager -# Faster and more reliable than pip for tool installation -RUN python3 -m pip install --no-cache-dir --upgrade uv +# Install Python 3.12 with uv +RUN uv python install 3.12 # Set the default shell to zsh for better development experience ENV SHELL=/usr/bin/zsh diff --git a/.devcontainer/hardened/Dockerfile b/.devcontainer/hardened/Dockerfile index 869b21a..5278264 100644 --- a/.devcontainer/hardened/Dockerfile +++ b/.devcontainer/hardened/Dockerfile @@ -17,9 +17,9 @@ # Echidna is a fuzzing tool for Ethereum smart contracts FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna -# Base image: Debian 12 (Bookworm) with VS Code DevContainer support +# Base image: Latest Debian with VS Code DevContainer support # This provides a stable, security-focused base for development -FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm +FROM mcr.microsoft.com/devcontainers/base:bookworm # Install essential system packages for development # These are the minimal packages needed for Web3 development tools @@ -37,6 +37,8 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-ins zsh # Advanced shell \ && rm -rf /var/lib/apt/lists/* + + # Install Python development dependencies # Required for Python-based security tools and package management RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ @@ -52,20 +54,19 @@ USER vscode WORKDIR /home/vscode ENV HOME=/home/vscode +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + # Update PATH environment for tool access # Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin ENV USR_LOCAL_BIN=/usr/local/bin ENV LOCAL_BIN=${HOME}/.local/bin ENV PNPM_HOME=${HOME}/.local/share/pnpm -ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} - -# Configure pip to allow system packages in container environment -# This is necessary for some tools that need system-level packages -ENV PIP_BREAK_SYSTEM_PACKAGES=1 +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} -# Install uv package manager - modern Python package manager -# Faster and more reliable than pip for tool installation -RUN python3 -m pip install --no-cache-dir --upgrade uv +# Install Python 3.12 with uv +RUN uv python install 3.12 # Set the default shell execution for subsequent RUN commands # Use zsh for better shell features and compatibility diff --git a/.devcontainer/isolated/Dockerfile b/.devcontainer/isolated/Dockerfile index d99fbb2..e12983b 100644 --- a/.devcontainer/isolated/Dockerfile +++ b/.devcontainer/isolated/Dockerfile @@ -16,9 +16,9 @@ # Echidna is a fuzzing tool for Ethereum smart contracts FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna -# Base image: Debian 12 (Bookworm) with VS Code DevContainer support +# Base image: Latest Debian with VS Code DevContainer support # This provides a stable, security-focused base for development -FROM mcr.microsoft.com/vscode/devcontainers/base:bookworm +FROM mcr.microsoft.com/vscode/devcontainers/base:debian # Install essential system packages for development # These are the minimal packages needed for Web3 development tools @@ -51,20 +51,19 @@ USER vscode WORKDIR /home/vscode ENV HOME=/home/vscode +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + # Update PATH environment for tool access # Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin ENV USR_LOCAL_BIN=/usr/local/bin ENV LOCAL_BIN=${HOME}/.local/bin ENV PNPM_HOME=${HOME}/.local/share/pnpm -ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} - -# Configure pip to allow system packages in container environment -# This is necessary for some tools that need system-level packages -ENV PIP_BREAK_SYSTEM_PACKAGES=1 +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} -# Install uv package manager - modern Python package manager -# Faster and more reliable than pip for tool installation -RUN python3 -m pip install --no-cache-dir --upgrade uv +# Install Python 3.12 with uv +RUN uv python install 3.12 # Set the default shell execution for subsequent RUN commands # Use zsh for better shell features and compatibility @@ -102,18 +101,14 @@ USER vscode ENV PNPM_HOME=${HOME}/.local/share/pnpm ENV PATH=${PATH}:${PNPM_HOME} -# Install Python-based security analysis tools -# These tools provide comprehensive smart contract security analysis -# Install slither, crytic-compile, solc, vyper, mythx, panoramix, slider-lsp (needed for contract explorer), napalm-toolbox. napalm-core has to be installed manually. +# Install Python-based security analysis tools (reduced set for security focus) +# These tools provide essential smart contract security analysis +# Focused on core tools: slither, mythril, crytic-compile, halmos, solc-select RUN uv tool install slither-analyzer && \ uv tool install crytic-compile && \ - uv tool install vyper && \ - uv tool install panoramix-decompiler && \ uv tool install slither-lsp && \ uv tool install mythril && \ - uv tool install napalm-toolbox && \ - uv tool install semgrep && \ - uv tool install slitherin && \ + uv tool install halmos && \ uv tool install solc-select && \ solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest diff --git a/.devcontainer/minimal/Dockerfile b/.devcontainer/minimal/Dockerfile index 72e0b91..3283d23 100644 --- a/.devcontainer/minimal/Dockerfile +++ b/.devcontainer/minimal/Dockerfile @@ -26,44 +26,52 @@ FROM mcr.microsoft.com/vscode/devcontainers/base:debian # Root access is needed for system package installation USER root -# Super basic stuff to get everything started -# Install minimal set of essential packages for development -RUN apt-get update -y && apt-get install -y \ - zsh python3-pip python3-venv python3-dev libpython3-dev build-essential vim curl git sudo pkg-config \ - --no-install-recommends - -# The base container usually has a "vscode" user. If not, create one here. -# This ensures consistent user setup across different base images -RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers +# Install essential system packages for development +# These are the minimal packages needed for Web3 development tools +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + bash-completion # Shell completion support \ + build-essential # Compilation tools (gcc, make, etc.) \ + curl # HTTP client for downloading tools \ + git # Version control system \ + jq # JSON processor for tool outputs \ + pkg-config # Package configuration helper \ + sudo # Privilege escalation (needed for some tools) \ + unzip # Archive extraction \ + vim # Text editor \ + wget # Alternative HTTP client \ + zsh # Advanced shell \ + && rm -rf /var/lib/apt/lists/* + + + +# Install Python development dependencies +# Required for Python-based security tools and package management +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3-pip # Python package installer \ + libpython3-dev # Python development headers \ + python3-dev # Python development tools \ + python3-venv # Python virtual environment support \ + && rm -rf /var/lib/apt/lists/* # Switch to vscode user for security (drop privileges) # This ensures all subsequent operations run as non-root user USER vscode WORKDIR /home/vscode - -# Set HOME and create quests folder -# Configure user environment and create development workspace ENV HOME=/home/vscode -RUN mkdir -p ${HOME}/quests && chown vscode:vscode ${HOME}/quests -# Set needed paths for Python, pix, pnpm -# Configure environment variables for tool access and package management +# Install uv +RUN curl -LsSf https://astral.sh/uv/install.sh | sh + +# Update PATH environment for tool access +# Configure paths for Python, Node.js, and other tools +ENV UV_LOCAL_BIN=$HOME/.cargo/bin ENV USR_LOCAL_BIN=/usr/local/bin ENV LOCAL_BIN=${HOME}/.local/bin ENV PNPM_HOME=${HOME}/.local/share/pnpm -ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME} +ENV PATH=${PATH}:${USR_LOCAL_BIN}:${LOCAL_BIN}:${PNPM_HOME}:${UV_LOCAL_BIN} -# Configure pip to allow system packages in container environment -# This is necessary for some tools that need system-level packages -ENV PIP_BREAK_SYSTEM_PACKAGES=1 - -# Install uv package manager -# uv is a modern Python package manager, faster and more reliable than pip -RUN python3 -m pip install --no-cache-dir --upgrade uv - -# Set asdf manager version for reproducibility -# asdf provides consistent version management across different tools -ENV ASDF_VERSION=v0.15.0 +# Install Python 3.12 with uv +RUN uv python install 3.12 # Set the default shell to zsh # zsh provides better shell features and development experience @@ -75,7 +83,7 @@ SHELL ["/usr/bin/zsh", "-ic"] # Install Go programming language through asdf version manager # asdf provides consistent version management across different tools # Go is required for various Web3 tools and Foundry framework -RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch ${ASDF_VERSION} && \ +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.15.0 && \ echo '. $HOME/.asdf/asdf.sh' >> $HOME/.zshrc && \ echo 'fpath=(${ASDF_DIR}/completions $fpath)' >> $HOME/.zshrc && \ echo 'autoload -Uz compinit && compinit' >> $HOME/.zshrc && \ diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index beb8182..c53969e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,8 +21,8 @@ jobs: subFolder: - .devcontainer/auditor - .devcontainer/minimal - - .devcontainer/legacy-theredguild - - .devcontainer/legacy-minimal + - .devcontainer/legacy + - .devcontainer/hardened steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/README.md b/README.md index afa242c..512ffc7 100644 --- a/README.md +++ b/README.md @@ -400,14 +400,12 @@ asdf plugin list all ``` Golang: `asdf plugin add golang` -Python: `asdf plugin add python` Node.js: `asdf plugin add nodejs` #### You can list and install specific versions ```bash asdf install golang 1.20.5 -asdf install python 3.11.5 asdf install nodejs 18.15.0 ``` @@ -415,16 +413,88 @@ asdf install nodejs 18.15.0 ```bash asdf global golang 1.20.5 -asdf global python 3.11.5 ``` #### Make a version be used locally ```bash asdf local golang 1.19.2 -asdf local python 3.10.4 ``` +### Introduction to `uv` + +`uv` is a fast Python package installer and resolver, written in Rust. It's designed to be a drop-in replacement for pip, pip-tools, and virtualenv, offering significantly faster performance and better dependency resolution. It's especially useful for Python projects requiring fast package management and reliable dependency resolution. + +#### Install Python versions + +Install and manage multiple Python versions: + +```bash +# Install a specific Python version +uv python install 3.11.5 +uv python install 3.12.0 + +# List installed Python versions +uv python list + +# Use a specific Python version +uv python use 3.11.5 +``` + +#### Create and manage virtual environments + +```bash +# Create a new virtual environment +uv venv + +# Create a virtual environment with a specific Python version +uv venv --python 3.11.5 + +# Activate the virtual environment +source .venv/bin/activate # On Unix/macOS +# or +.venv\Scripts\activate # On Windows +``` + +#### Install packages + +```bash +# Install a single package +uv add requests + +# Install packages with specific versions +uv add "fastapi>=0.100.0" "uvicorn[standard]" + +# Install development dependencies +uv add --dev pytest black flake8 + +# Install from requirements.txt +uv pip install -r requirements.txt + +# Install tools globally (similar to pipx) +uv tool install black +uv tool install flake8 +uv tool install mypy +``` + +#### Project management + +```bash +# Initialize a new Python project +uv init my-project +cd my-project + +# Add dependencies to pyproject.toml +uv add requests fastapi + +# Install all project dependencies +uv sync + +# Generate requirements.txt +uv export --format requirements-txt > requirements.txt +``` + + ### Install different node versions with nvm ```bash From a9898503ba3ce1c5da70a4ac18eac2e1a65c92f3 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Mon, 25 Aug 2025 22:12:14 -0300 Subject: [PATCH 6/8] (readme): removed word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 512ffc7..b6e40e8 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ We now offer multiple devcontainer configurations to suit different security and - **Includes**: All security tools, fuzzing tools (Echidna, Medusa), static analysis - **Security**: Read-only filesystem, network isolation, capability dropping, tmpfs mounts - **Extensions**: Comprehensive Ethereum security bundle, audit tools, decompilers -- **Use case**: High-security research, compliance requirements, isolated analysis +- **Use case**: High-security research and isolated analysis ### **Hardened** (`.devcontainer/hardened/`) **Best for**: Enhanced security with development flexibility From 7acaa17661ff20446960f03c40a4b3317bcf1ced Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Mon, 25 Aug 2025 22:24:45 -0300 Subject: [PATCH 7/8] (CI/CD): added workflows for test isolation and auditing tools --- .github/workflows/main.yml | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c53969e..88d4919 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,6 +23,7 @@ jobs: - .devcontainer/minimal - .devcontainer/legacy - .devcontainer/hardened + - .devcontainer/isolated steps: - name: Checkout repository uses: actions/checkout@v4 @@ -80,7 +81,7 @@ jobs: runCmd: echo "Devcontainer OK in ${{ matrix.subFolder }}" && uname -a push: never - - name: Test Foundry functionality + - name: Test Minimal Tools if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' uses: devcontainers/ci@v0.3 with: @@ -96,10 +97,39 @@ jobs: echo "✅ Foundry tools verification completed" push: never + - name: Test Auditor Tools + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && contains(fromJSON('[".devcontainer/auditor", ".devcontainer/hardened", ".devcontainer/isolated"]'), matrix.subFolder) + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: | + echo "🧪 Testing Auditor tools..." + slither --version || echo "❌ Slither not found" + myth --version || echo "❌ Mythril not found" + echidna --version || echo "❌ Echidna not found" + echo "✅ Auditor tools verification completed" + push: never + + - name: Test Isolation + if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' && matrix.subFolder == '.devcontainer/isolated' + uses: devcontainers/ci@v0.3 + with: + subFolder: ${{ matrix.subFolder }} + configFile: ${{ matrix.subFolder }}/devcontainer.json + + runCmd: | + echo "🧪 Testing Isolation..." + if (touch /test.txt); then echo "❌ Filesystem is not read-only"; exit 1; else echo "✅ Filesystem is read-only"; fi + if (curl -sS https://www.google.com); then echo "❌ Network is not isolated"; exit 1; else echo "✅ Network is isolated"; fi + echo "✅ Isolation verification completed" + push: never + - name: Purge Docker cache and resources (on success) if: success() && steps.check.outputs.exists == 'true' && steps.changed.outputs.changed == 'true' run: | echo "Pruning Docker resources to free memory and disk..." docker system prune -af --volumes || true docker builder prune -af || true - docker system df || true + docker system df || true \ No newline at end of file From 148799e72ca1cac3a3c9899667fb54ecd46b1e27 Mon Sep 17 00:00:00 2001 From: d4rm5 Date: Mon, 25 Aug 2025 22:26:03 -0300 Subject: [PATCH 8/8] (testing): minimal change for test GH Actions --- .devcontainer/isolated/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/.devcontainer/isolated/Dockerfile b/.devcontainer/isolated/Dockerfile index e12983b..cdf4868 100644 --- a/.devcontainer/isolated/Dockerfile +++ b/.devcontainer/isolated/Dockerfile @@ -6,7 +6,6 @@ # with maximum security isolation, read-only filesystem, and network isolation. # # Key security features: -# - Multi-stage build for Echidna binary # - Non-root user execution # - Minimal package installation # - Security-hardened toolchain