171 lines
6.4 KiB
JSON
171 lines
6.4 KiB
JSON
{
|
||
"schema_version": "docker_build_surface_inventory_v1",
|
||
"generated_at": "2026-06-04T19:23:03+08:00",
|
||
"program_status": {
|
||
"overall_completion_percent": 97,
|
||
"current_priority": "P1",
|
||
"current_task_id": "P1-203",
|
||
"next_task_id": "P1-204",
|
||
"read_only_mode": true
|
||
},
|
||
"source_refs": [
|
||
"apps/api/Dockerfile",
|
||
"apps/web/Dockerfile",
|
||
"apps/api/pyproject.toml",
|
||
"apps/web/package.json",
|
||
"pnpm-lock.yaml"
|
||
],
|
||
"rollups": {
|
||
"total_surfaces": 2,
|
||
"dockerfile_count": 2,
|
||
"external_image_ref_count": 3,
|
||
"from_instruction_count": 6,
|
||
"copy_from_external_image_count": 1,
|
||
"digest_pinned_image_count": 0,
|
||
"tag_pinned_image_count": 3,
|
||
"build_time_network_fetch_count": 4,
|
||
"non_root_runtime_count": 2,
|
||
"healthcheck_count": 1,
|
||
"by_status": {
|
||
"action_required": 2
|
||
},
|
||
"action_required_surface_ids": [
|
||
"api_dockerfile",
|
||
"web_dockerfile"
|
||
],
|
||
"planned_next_surface_ids": []
|
||
},
|
||
"surfaces": [
|
||
{
|
||
"surface_id": "api_dockerfile",
|
||
"display_name": "AWOOOI API Dockerfile",
|
||
"dockerfile_ref": "apps/api/Dockerfile",
|
||
"status": "action_required",
|
||
"risk_level": "high",
|
||
"stage_count": 2,
|
||
"external_image_refs": [
|
||
"python:3.11-slim",
|
||
"ghcr.io/astral-sh/uv:0.6.9"
|
||
],
|
||
"digest_pinned_image_refs": [],
|
||
"tag_pinned_image_refs": [
|
||
"python:3.11-slim",
|
||
"ghcr.io/astral-sh/uv:0.6.9"
|
||
],
|
||
"build_time_network_fetches": [
|
||
"apt-get update && apt-get install openssh-client curl",
|
||
"curl -LO https://dl.k8s.io/release/v1.29.0/bin/linux/amd64/kubectl"
|
||
],
|
||
"binary_sources": [
|
||
"ghcr.io/astral-sh/uv:0.6.9 /uv",
|
||
"dl.k8s.io kubectl v1.29.0"
|
||
],
|
||
"non_root_runtime": true,
|
||
"healthcheck_present": true,
|
||
"cache_controls": [
|
||
"ARG BUILDKIT_INLINE_CACHE=0",
|
||
"ARG CACHE_BUST=none",
|
||
"dependency layer before apps/api/src COPY"
|
||
],
|
||
"gate_status": "image_rebuild_blocked",
|
||
"evidence_refs": ["apps/api/Dockerfile"],
|
||
"next_action": "P1-204 定義 base image digest pin、kubectl checksum、apt source 與 rebuild approval policy;不得直接 build image。"
|
||
},
|
||
{
|
||
"surface_id": "web_dockerfile",
|
||
"display_name": "AWOOOI Web Dockerfile",
|
||
"dockerfile_ref": "apps/web/Dockerfile",
|
||
"status": "action_required",
|
||
"risk_level": "high",
|
||
"stage_count": 4,
|
||
"external_image_refs": [
|
||
"node:20-alpine"
|
||
],
|
||
"digest_pinned_image_refs": [],
|
||
"tag_pinned_image_refs": [
|
||
"node:20-alpine"
|
||
],
|
||
"build_time_network_fetches": [
|
||
"corepack prepare pnpm@9.0.0 --activate",
|
||
"pnpm install --frozen-lockfile"
|
||
],
|
||
"binary_sources": [
|
||
"node:20-alpine base image",
|
||
"corepack pnpm@9.0.0",
|
||
"pnpm registry dependencies via pnpm-lock.yaml"
|
||
],
|
||
"non_root_runtime": true,
|
||
"healthcheck_present": false,
|
||
"cache_controls": [
|
||
"ARG BUILDKIT_INLINE_CACHE=1",
|
||
"ARG CACHE_BUST=dev",
|
||
"NEXT_PRIVATE_BUILD_WORKER_COUNT=1",
|
||
"BuildKit cache mount for .next/cache",
|
||
"BuildKit cache mount for /root/.cache/turbo"
|
||
],
|
||
"gate_status": "image_rebuild_blocked",
|
||
"evidence_refs": ["apps/web/Dockerfile", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 定義 node base image digest pin、pnpm/corepack provenance、Web runtime healthcheck 與 rebuild approval policy;不得直接 build image。"
|
||
}
|
||
],
|
||
"risk_findings": [
|
||
{
|
||
"finding_id": "base_images_not_digest_pinned",
|
||
"severity": "high",
|
||
"status": "action_required",
|
||
"summary": "API 與 Web Dockerfile 使用 tag-pinned base image,但未使用 digest pin;`python:3.11-slim`、`node:20-alpine`、`ghcr.io/astral-sh/uv:0.6.9` 都需要 P1-204 定義 digest / rebuild policy。",
|
||
"evidence_refs": ["apps/api/Dockerfile", "apps/web/Dockerfile"],
|
||
"next_action": "P1-204 定義 digest pin、更新 cadence、rollback 與 registry approval package。"
|
||
},
|
||
{
|
||
"finding_id": "api_kubectl_binary_without_checksum_policy",
|
||
"severity": "high",
|
||
"status": "action_required",
|
||
"summary": "API image build 以 curl 下載 kubectl v1.29.0,但未在 Dockerfile 內呈現 checksum / signature 驗證 policy。",
|
||
"evidence_refs": ["apps/api/Dockerfile"],
|
||
"next_action": "P1-204 定義 kubectl binary source、checksum / signature、替換方式與 image rebuild approval gate。"
|
||
},
|
||
{
|
||
"finding_id": "build_time_network_fetches_present",
|
||
"severity": "medium",
|
||
"status": "action_required",
|
||
"summary": "API build 會 apt-get / curl,Web build 會 corepack prepare / pnpm install;本輪只盤點,不執行 build,也不驗證外部 registry freshness。",
|
||
"evidence_refs": ["apps/api/Dockerfile", "apps/web/Dockerfile", "pnpm-lock.yaml"],
|
||
"next_action": "P1-204 定義外部來源白名單、快取策略、失敗告警與批准邊界。"
|
||
},
|
||
{
|
||
"finding_id": "web_runtime_healthcheck_missing",
|
||
"severity": "medium",
|
||
"status": "action_required",
|
||
"summary": "Web runtime stage 有 non-root user,但 Dockerfile 未定義 HEALTHCHECK;需確認 K8s probe 是否是唯一健康檢查來源。",
|
||
"evidence_refs": ["apps/web/Dockerfile", "k8s/"],
|
||
"next_action": "P1-204 或 P1-001 對齊 Dockerfile healthcheck 與 K8s probe contract;不得直接改 image。"
|
||
},
|
||
{
|
||
"finding_id": "image_rebuild_not_run",
|
||
"severity": "low",
|
||
"status": "accepted",
|
||
"summary": "本輪未執行 docker build、image pull、registry push 或外部 CVE 查詢;只建立 repo 內 Dockerfile 事實基線。",
|
||
"evidence_refs": ["docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"],
|
||
"next_action": "若要重建 image,必須另走 P1-204 policy 與人工批准。"
|
||
}
|
||
],
|
||
"operation_boundaries": {
|
||
"read_only_api_allowed": true,
|
||
"docker_build_allowed": false,
|
||
"image_pull_allowed": false,
|
||
"image_rebuild_allowed": false,
|
||
"registry_push_allowed": false,
|
||
"external_cve_lookup_allowed": false,
|
||
"package_installation_allowed": false,
|
||
"production_routing_allowed": false
|
||
},
|
||
"approval_boundaries": {
|
||
"sdk_installation_allowed": false,
|
||
"paid_api_call_allowed": false,
|
||
"shadow_or_canary_allowed": false,
|
||
"production_routing_allowed": false,
|
||
"destructive_operation_allowed": false
|
||
}
|
||
}
|