Skip to content

Sentinel: 🛡️ Restore secure entrypoint for random password generation #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
google-labs-jules wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Sentinel: 🛡️ Restore secure entrypoint for random password generation #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions copyables/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ if [[ $? -ne 0 ]]; then
fi
set -e

CONFIG=/usr/vpnserver/vpn_server.config
CONFIG=/var/lib/softether/vpn_server.config

if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
: ${PSK:='notasecret'}
Expand Down Expand Up @@ -51,14 +51,14 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
echo

vpncmd_server() {
/usr/bin/vpncmd localhost /SERVER /CSV /CMD "$@"
/usr/local/bin/vpncmd localhost /SERVER /CSV /CMD "$@"
}

vpncmd_hub() {
/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD "$@"
/usr/local/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD "$@"
}

/usr/bin/vpnserver start 2>&1 >/dev/null
/usr/local/bin/vpnserver start 2>&1 >/dev/null

# while-loop to wait until server comes up
# switch cipher
Expand All @@ -71,7 +71,7 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
done

# About command to grab version number
# /usr/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;'
# /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;'
vpncmd_server About | head -2 | tail -1 | sed 's/^/# /;'

# enable L2TP_IPsec
Expand Down Expand Up @@ -173,7 +173,7 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
: ${SPW:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1)}
vpncmd_server ServerPasswordSet ${SPW}

/usr/bin/vpnserver stop 2>&1 >/dev/null
/usr/local/bin/vpnserver stop 2>&1 >/dev/null

# while-loop to wait until server goes away
set +e
Expand Down
8 changes: 4 additions & 4 deletions copyables/gencert.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
#!/bin/bash
set -e

/usr/bin/vpnserver start 2>&1 >/dev/null
/usr/local/bin/vpnserver start 2>&1 >/dev/null

# while-loop to wait until server comes up
# switch cipher
while :; do
set +e
/usr/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194 2>&1 >/dev/null
/usr/local/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194 2>&1 >/dev/null
[[ $? -eq 0 ]] && break
set -e
sleep 1
done

/usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertGet cert
/usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerKeyGet key
/usr/local/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertGet cert
/usr/local/bin/vpncmd localhost /SERVER /CSV /CMD ServerKeyGet key

CERT=$(cat cert | sed -r 's/\-{5}[^\-]+\-{5}//g;s/[^A-Za-z0-9\+\/\=]//g;' | tr -d '\r\n')
KEY=$(cat key | sed -r 's/\-{5}[^\-]+\-{5}//g;s/[^A-Za-z0-9\+\/\=]//g;' | tr -d '\r\n')
Expand Down
9 changes: 8 additions & 1 deletion dockerfile
View file
Open in desktop
Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium IaC Finding

Unpinned Package Version in Apk Add
on resource FROM alpine AS builder.RUN apk add binutils --no-cache linux-headers build-base readline-dev openssl-dev ncurses-dev git cmake zlib-dev libsodium-dev gnu-libiconv

More Details
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes

Expected

RUN instruction with 'apk add <package>' should use package pinning form 'apk add <package>=<version>'

Found

RUN instruction apk add binutils --no-cache        linux-headers         build-base         readline-dev         openssl-dev         ncurses-dev         git         cmake         zlib-dev         libsodium-dev         gnu-libiconv does not use package pinning form

Rule ID: de9db1cd-52cd-46cf-aea4-2a363f47d7e8

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium IaC Finding

Image Version Not Explicit
on resource FROM alpine

More Details
Always tag the version of an image explicitly

Expected

FROM alpine:'version'

Found

FROM alpine

Rule ID: c06eea37-bf19-404d-9964-9508a90c984b

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High IaC Finding

Missing User Instruction
on resource Dockerfile

More Details
This rule checks whether a `USER` instruction is specified in the Dockerfile. The rule fails when the `USER` instruction is missing, causing the container to run with root privileges (UID 0). If an attacker compromises an application running as root, they gain the privileges needed to potentially escape the container and attack the host node. It also increases the blast radius of a breach, allowing full control to modify files or install malware within the container. Enforcing a non-root user is a fundamental security measure that minimizes the attack surface and contains the impact of a potential compromise.

Expected

The multi-stage Dockerfile should contain at least one 'USER' instruction

Found

The multi-stage Dockerfile does not contain any 'USER' instruction

Security Frameworks: wf-id-264, c7d2843b-ff83-4115-823e-a440e5c9b434, fcb43ca7-1138-43c6-af95-fe30190b00f7, 9bc0c54d-4a51-4dbc-8ae6-890bc8c96f68, e24345c2-b2f7-40d2-9067-d71280d443d8


Rule ID: e24d894e-a4db-4b8d-98cc-38d5825e1c7a

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium IaC Finding

RUN Instruction Using 'cd' Instead of WORKDIR
on resource FROM alpine AS builder.RUN cd SoftEtherVPN && git submodule init && git submodule update && ./configure && make -j $(getconf _NPROCESSORS_ONLN) -C build

More Details
Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.

Expected

Using WORKDIR to change directory

Found

RUN cd SoftEtherVPN &&        git submodule init &&        git submodule update &&        ./configure &&        make -j $(getconf _NPROCESSORS_ONLN) -C build

Rule ID: 68315656-f749-42d0-928a-e618c8d4eea6

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low IaC Finding

YALI - Docker image should be fetched from an approved registry
on resource FROM alpine

More Details
... Use this rule to alert on disapproved image registries

Expected

Base image must be from an authorized repository.

Found

Base image 'alpine' is not from an authorized repository.

Rule ID: 26c050b2-2b7f-49b4-b453-fb0782f26145

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium IaC Finding

Unpinned Package Version in Apk Add
on resource FROM alpine AS base.RUN apk add --no-cache readline openssl libsodium gnu-libiconv iptables bash unzip

More Details
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes

Expected

RUN instruction with 'apk add <package>' should use package pinning form 'apk add <package>=<version>'

Found

RUN instruction apk add --no-cache readline         openssl         libsodium         gnu-libiconv         iptables         bash         unzip does not use package pinning form

Rule ID: de9db1cd-52cd-46cf-aea4-2a363f47d7e8

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low IaC Finding

Healthcheck Instruction Missing
on resource FROM alpine AS base

More Details
Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working

Expected

Dockerfile should contain instruction 'HEALTHCHECK'

Found

Dockerfile doesn't contain instruction 'HEALTHCHECK'

Security Frameworks: wf-id-264, e24345c2-b2f7-40d2-9067-d71280d443d8


Rule ID: 6cce840b-7867-4f9d-81b7-54b35433d327

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low IaC Finding

Healthcheck Instruction Missing
on resource FROM alpine AS builder

More Details
Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working

Expected

Dockerfile should contain instruction 'HEALTHCHECK'

Found

Dockerfile doesn't contain instruction 'HEALTHCHECK'

Security Frameworks: wf-id-264, e24345c2-b2f7-40d2-9067-d71280d443d8


Rule ID: 6cce840b-7867-4f9d-81b7-54b35433d327

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical IaC Finding

**ALPA - Docker file base image not from private registry **
on resource FROM alpine

More Details

Expected

Base image must come from a validated private repository

Found

Base image 'alpine' is not from a validated source

Rule ID: f357b217-8b04-4a58-82ee-f0f874eb0627

Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,9 @@ RUN apk add --no-cache readline \
openssl \
libsodium \
gnu-libiconv \
iptables
iptables \
bash \
unzip
ENV LD_PRELOAD=/usr/lib/preloadable_libiconv.so
WORKDIR /usr/local/bin
VOLUME /var/log/softether
Expand All @@ -47,5 +49,10 @@ COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src

FROM base AS vpnserver
Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical IaC Finding

**ALPA - Docker file base image not from private registry **
on resource FROM base

More Details

Expected

Base image must come from a validated private repository

Found

Base image 'base' is not from a validated source

Rule ID: f357b217-8b04-4a58-82ee-f0f874eb0627

Copy link

@wiz-inc-cc19e8696a-mycorpone wiz-inc-cc19e8696a-mycorpone bot Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low IaC Finding

Healthcheck Instruction Missing
on resource FROM base AS vpnserver

More Details
Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working

Expected

Dockerfile should contain instruction 'HEALTHCHECK'

Found

Dockerfile doesn't contain instruction 'HEALTHCHECK'

Security Frameworks: wf-id-264, e24345c2-b2f7-40d2-9067-d71280d443d8


Rule ID: 6cce840b-7867-4f9d-81b7-54b35433d327

COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnserver ./
COPY copyables/entrypoint.sh /entrypoint.sh
COPY copyables/gencert.sh /gencert.sh
RUN chmod +x /entrypoint.sh /gencert.sh

EXPOSE 443/tcp 992/tcp 1194/tcp 1194/udp 5555/tcp 500/udp 4500/udp
ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/local/bin/vpnserver", "execsvc"]