fix: remediate app-layer CVEs in agentex services

.github/workflows/integration-tests.yml

@@ -153,6 +153,10 @@ jobs:
     name: "Run Integration Tests - ${{ matrix.agent.agent_name }}"
     runs-on: ubuntu-latest
     needs: discover-agent-images
+    permissions:
+      id-token: write
+      contents: read
+      packages: read
     strategy:
       fail-fast: false # Continue testing other agents even if one fails
       matrix:
@@ -170,6 +174,17 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Configure AWS credentials for ECR access
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::307185671274:role/github-action-scale-agentex-ecr-read
+          aws-region: us-west-2
+
+      - name: Login to egp-prod ECR for golden base images
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registries: "022465994601"
+
       - name: Pull agent image
         run: |
           echo "🐳 Pulling agent image: ${{ matrix.agent.image }}"

agentex-ui/Dockerfile

@@ -1,14 +1,15 @@
-# Use the official Node.js 20 Debian image
-FROM node:20
-
-# Update package lists and install Sharp dependencies
-RUN apt-get update && apt-get install -y \
+# NOTE: -dev variant required at runtime for libvips (Sharp image processing)
+FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/node:20-dev
+ARG SOURCE_DIR=public/agentex-ui
+ENTRYPOINT []
+
+# Install dependencies as root
+USER root
+RUN apk add --no-cache \
     libvips-dev \
     python3 \
     make \
-    g++ \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+    build-base
 
 WORKDIR /app
 
@@ -20,7 +21,7 @@ ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 
 # Copy package files
-COPY package.json package-lock.json ./
+COPY ${SOURCE_DIR}/package.json ${SOURCE_DIR}/package-lock.json ./
 
 ENV npm_config_cache=/tmp/.npm
 RUN npm config set maxsockets 3
@@ -30,7 +31,7 @@ RUN npm config set registry https://registry.npmjs.org/ && \
     npm ci --omit=dev --verbose
 
 # Copy source code (node_modules and .next excluded by .dockerignore)
-COPY . .
+COPY ${SOURCE_DIR} .
 COPY LICENSE /app/LICENSE
 
 # Build the application (creates fresh .next directory)
@@ -42,20 +43,16 @@ RUN echo "=== Build verification ===" && \
     echo "=== Final container structure ===" && \
     ls -la /app/
 
-# Create non-root user (Debian syntax)
-RUN groupadd --system --gid 1001 nodejs && \
-    useradd --system --uid 1001 --gid nodejs nextjs
-
-# Change ownership of the entire app directory to nextjs user
-RUN chown -R nextjs:nodejs /app
+# Use Chainguard's default nonroot user (65532)
+RUN chown -R 65532:65532 /app
 
 # Switch to non-root user
-USER nextjs
+USER nonroot
 
 EXPOSE 3000
 
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
 # Start the application
-CMD ["npm", "start"] 
+CMD ["npm", "start"]