From 78af26bf600c1e789adf85fd0b6d1e7b0c6a535d Mon Sep 17 00:00:00 2001
From: Enderson Maia <endersonmaia@gmail.com>
Date: Thu, 15 Jan 2026 14:40:14 -0300
Subject: [PATCH 1/3] chore(sdk): use PostgreSQL's Docker Hardened Image

Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE    : Total: 139  (UNKNOWN: 4, LOW: 99, MEDIUM: 31, HIGH: 5, CRITICAL: 0)
AFTER     : Total: 78   (UNKNOWN: 5, LOW: 69, MEDIUM:  3, HIGH: 1, CRITICAL: 0)
---
 .github/workflows/sdk.yaml   |  7 +++++++
 packages/sdk/Dockerfile      | 13 +++++++++----
 packages/sdk/docker-bake.hcl |  4 +++-
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sdk.yaml b/.github/workflows/sdk.yaml
index df536302..3af44fa9 100644
--- a/.github/workflows/sdk.yaml
+++ b/.github/workflows/sdk.yaml
@@ -83,6 +83,13 @@ jobs:
                   username: ${{ secrets.DOCKERHUB_USERNAME }}
                   password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+            - name: Login to Docker Hardened Registry
+              uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+              with:
+                  registry: dhi.io
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+
             - name: Build and push
               uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6.9.0
               if: ${{ !startsWith(github.ref, 'refs/tags/sdk@') }}
diff --git a/packages/sdk/Dockerfile b/packages/sdk/Dockerfile
index c41411d8..29c2d133 100644
--- a/packages/sdk/Dockerfile
+++ b/packages/sdk/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker.io/docker/dockerfile:1
 ARG CARTESI_BASE_IMAGE
-ARG POSTGRES_BASE_IMAGE
+ARG POSTGRES_BASE_BUILD_IMAGE
+ARG POSTGRES_BASE_RUNTIME_IMAGE
 ARG NODE_VERSION
 
 ################################################################################
@@ -170,7 +171,7 @@ USER cartesi
 
 ################################################################################
 # postgresql initdb
-FROM ${POSTGRES_BASE_IMAGE} AS postgresql-initdb
+FROM ${POSTGRES_BASE_BUILD_IMAGE} AS postgresql-initdb
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
@@ -203,8 +204,12 @@ RUN /usr/local/bin/docker-ensure-initdb.sh postgres
 
 ################################################################################
 # rollups-database image
-FROM ${POSTGRES_BASE_IMAGE} AS rollups-database
-COPY --from=postgresql-initdb /var/lib/postgresql/data /var/lib/postgresql/data
+FROM ${POSTGRES_BASE_RUNTIME_IMAGE} AS rollups-database
+ARG POSTGRES_MAJOR_VERSION
+COPY --from=postgresql-initdb \
+    --chown=postgres:postgres \
+    --chmod=750 \
+    /var/lib/postgresql/data /var/lib/postgresql/${POSTGRES_MAJOR_VERSION}/data
 
 ################################################################################
 # alto build
diff --git a/packages/sdk/docker-bake.hcl b/packages/sdk/docker-bake.hcl
index 9d952b34..02c1bea6 100644
--- a/packages/sdk/docker-bake.hcl
+++ b/packages/sdk/docker-bake.hcl
@@ -20,7 +20,9 @@ target "default" {
     NITRO_VERSION                     = "8c376d4a5baa7f32999620f9fe3eb51ca8e0dcbc" # v0.5
     NODE_VERSION                      = "24.12.0"
     NVM_VERSION                       = "977563e97ddc66facf3a8e31c6cff01d236f09bd" # 0.40.3
-    POSTGRES_BASE_IMAGE               = "docker.io/library/postgres:17-trixie@sha256:9ba47fa6d1c34e9cc4c1758640e7774a9b73ea0fba891f14088321ba7561d253"
+    POSTGRES_MAJOR_VERSION            = "17"
+    POSTGRES_BASE_BUILD_IMAGE         = "docker.io/library/postgres:17-trixie@sha256:f6ba4a3c3de6ae0f361a8b628d452c14295dc4d076ceb193b8c46fb0a2273e46"
+    POSTGRES_BASE_RUNTIME_IMAGE       = "dhi.io/postgres:17-debian13@sha256:e362e1dae28c17fdd2c8e35be7c763b67a61886e81f6fbe497101eb8edb6978b"
     SQUASHFS_TOOLS_VERSION            = "bad1d213ab6df587d6fa0ef7286180fbf7b86167" # 4.7.4
     SU_EXEC_VERSION                   = "0.3"
     XGENEXT2_VERSION                  = "1.5.6"

From 505f7fdf8f98fb21b5963ebfc8ccb96e29e6db96 Mon Sep 17 00:00:00 2001
From: Enderson Maia <endersonmaia@gmail.com>
Date: Thu, 15 Jan 2026 15:34:54 -0300
Subject: [PATCH 2/3] chore(sdk): use Debian's Docker Hardened Image

Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE: Total: 97 (UNKNOWN: 2, LOW: 82, MEDIUM: 13, HIGH: 0, CRITICAL: 0)
AFTER : Total: 88 (UNKNOWN: 2, LOW: 76, MEDIUM: 10, HIGH: 0, CRITICAL: 0)
---
 packages/sdk/Dockerfile      | 16 ++++++++--------
 packages/sdk/docker-bake.hcl |  4 ++--
 packages/sdk/package.json    |  3 ++-
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/packages/sdk/Dockerfile b/packages/sdk/Dockerfile
index 29c2d133..dd1abcd6 100644
--- a/packages/sdk/Dockerfile
+++ b/packages/sdk/Dockerfile
@@ -66,6 +66,7 @@ FROM base AS foundry
 ARG FOUNDRY_VERSION
 ARG TARGETARCH
 ARG TARGETOS
+WORKDIR /usr/local/bin
 RUN <<EOF
 mkdir -p /usr/local/bin
 curl -fsSL https://github.com/foundry-rs/foundry/releases/download/v${FOUNDRY_VERSION}/foundry_v${FOUNDRY_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz \
@@ -109,12 +110,10 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 apt-get install -y --no-install-recommends \
     libslirp0 \
-    lua5.4
-rm -rf /var/lib/apt/lists/*
-EOF
+    lua5.4 \
+    passwd
 
-RUN <<EOF
-set -e
+# create cartesi user
 useradd \
     --comment "cartesi user" \
     --no-create-home \
@@ -124,6 +123,9 @@ useradd \
     --uid 102 \
     --user-group \
     cartesi
+
+apt-get remove -y --purge passwd
+rm -rf /var/lib/apt/lists/*
 EOF
 
 # Install cartesi-machine emulator
@@ -283,9 +285,7 @@ apt-get install -y --no-install-recommends \
     liblzo2-2 \
     libslirp0 \
     locales \
-    lua5.4 \
-    xxd \
-    xz-utils
+    xxd
 rm -rf /var/lib/apt/lists/*
 EOF
 
diff --git a/packages/sdk/docker-bake.hcl b/packages/sdk/docker-bake.hcl
index 02c1bea6..30664838 100644
--- a/packages/sdk/docker-bake.hcl
+++ b/packages/sdk/docker-bake.hcl
@@ -8,8 +8,8 @@ target "default" {
   args = {
     ALTO_VERSION                      = "1.2.5"
     ALTO_PACKAGE_VERSION              = "0.0.18"
-    CARTESI_BASE_IMAGE                = "docker.io/library/debian:trixie-20260223-slim@sha256:1d3c811171a08a5adaa4a163fbafd96b61b87aa871bbc7aa15431ac275d3d430"
-    CARTESI_DEVNET_VERSION            = "2.0.0-alpha.10"
+    CARTESI_BASE_IMAGE                = "dhi.io/debian-base:trixie-dev@sha256:2166e2eaef0651c9ad21de6ab5a34fda12541d89bccf7bcb0a94afceb1b1541b"
+    CARTESI_DEVNET_VERSION            = "2.0.0-alpha.9"
     CARTESI_IMAGE_KERNEL_VERSION      = "0.20.0"
     CARTESI_LINUX_KERNEL_VERSION      = "6.5.13-ctsi-1-v0.20.0"
     CARTESI_MACHINE_EMULATOR_VERSION  = "0.19.0"
diff --git a/packages/sdk/package.json b/packages/sdk/package.json
index a5f2df16..f6a10117 100644
--- a/packages/sdk/package.json
+++ b/packages/sdk/package.json
@@ -3,6 +3,7 @@
     "private": true,
     "version": "0.12.0-alpha.34",
     "scripts": {
-        "build": "docker buildx bake --load --metadata-file=build.json"
+        "build": "docker buildx bake --load --metadata-file=build.json",
+        "digest-update": "../../.github/scripts/update-image-digests.sh ./docker-bake.hcl"
     }
 }

From 8b4015b2b266b70ad445158a283d7d1a4e866bdf Mon Sep 17 00:00:00 2001
From: Enderson Maia <endersonmaia@gmail.com>
Date: Fri, 27 Feb 2026 10:45:41 -0300
Subject: [PATCH 3/3] ci(sdk): add trivy scan vuln final step

---
 .github/workflows/sdk.yaml | 78 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 75 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sdk.yaml b/.github/workflows/sdk.yaml
index 3af44fa9..5ccae893 100644
--- a/.github/workflows/sdk.yaml
+++ b/.github/workflows/sdk.yaml
@@ -22,7 +22,7 @@ jobs:
     meta:
         runs-on: ubuntu-latest
         strategy:
-            matrix:
+            matrix: &target-matrix
                 target:
                     - rollups-database
                     - rollups-runtime
@@ -50,7 +50,7 @@ jobs:
                       type=ref,event=pr
 
             - name: Upload bake definition file
-              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
               with:
                   name: docker-metadata-${{ matrix.target }}
                   path: ${{ steps.meta.outputs.bake-file }}
@@ -63,7 +63,7 @@ jobs:
               uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Download all docker-metadata artifacts
-              uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+              uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
               with:
                   path: packages/sdk/
 
@@ -129,3 +129,75 @@ jobs:
                       ./docker-metadata-rollups-runtime/docker-metadata-action-bake.json
                       ./docker-metadata-rollups-database/docker-metadata-action-bake.json
                   push: true
+
+    trivy:
+        runs-on: ubuntu-latest
+        needs:
+            - build
+            - meta
+        strategy:
+            fail-fast: false
+            matrix: *target-matrix
+        permissions:
+            contents: read
+            packages: read
+        name: trivy-${{ matrix.target }}
+        steps:
+            - name: Download all docker-metadata artifacts
+              uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+              with:
+                  pattern: docker-metadata-*
+                  path: packages/sdk/
+
+            - name: Trivy Setup
+              uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.0
+              with:
+                cache: true
+                version: v0.69.1
+
+            - name: Collect image references
+              id: images
+              run: |
+                  set -euo pipefail
+
+                  mapfile -t IMAGES < <(
+                    jq -r '.. | .tags? // empty | .[]?' \
+                      packages/sdk/docker-metadata-${{ matrix.target }}/docker-metadata-action-bake.json \
+                      | awk 'NF > 0' \
+                      | sort -u
+                  )
+
+                  if [ "${#IMAGES[@]}" -eq 0 ]; then
+                    echo "No image tags found in docker metadata artifacts."
+                    exit 0
+                  fi
+
+                  {
+                    echo "images<<EOF"
+                    printf '%s\n' "${IMAGES[@]}"
+                    echo "EOF"
+                  } >> "$GITHUB_OUTPUT"
+
+            - name: Scan images with Trivy
+              if: ${{ steps.images.outputs.images != '' }}
+              run: |
+                  set -euo pipefail
+
+                  while IFS= read -r image; do
+                    [ -z "$image" ] && continue
+                    echo "Scanning $image"
+                    {
+                        echo "<details><summary><strong>Trivy image scan : ${{ matrix.target }} </strong></summary><pre lang="shell"><code>"
+
+                        trivy image                     \
+                            --scanners vuln             \
+                            --format table              \
+                            --report summary            \
+                            --severity HIGH,CRITICAL    \
+                            --ignore-unfixed            \
+                            --exit-code 1               \
+                            "$image"
+
+                        echo "</code></pre></details><hr>"
+                    } >> $GITHUB_STEP_SUMMARY
+                  done <<< "${{ steps.images.outputs.images }}"