Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/python:3.11
FROM mcr.microsoft.com/devcontainers/python:3.11

# Makes installation faster
ENV UV_COMPILE_BYTECODE=1
Expand Down Expand Up @@ -32,15 +32,14 @@ RUN apt-get update && apt-get install -y \
&& curl -sL https://packages.microsoft.com/keys/microsoft.asc \
| gpg --dearmor \
> /usr/share/keyrings/microsoft-archive-keyring.gpg \
&& echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/debian/12/prod bookworm main" \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/debian/12/prod bookworm main" \
> /etc/apt/sources.list.d/microsoft.list \
&& apt-get update \
&& ACCEPT_EULA=Y apt-get install -y \
msodbcsql18 \
mssql-tools \
unixodbc-dev \
&& if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
ACCEPT_EULA=Y apt-get install -y msodbcsql18 mssql-tools unixodbc-dev \
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unixodbc-dev is already installed earlier in the Dockerfile, but it’s included again in the amd64-only install list here. This is redundant and slows builds; consider dropping unixodbc-dev from this conditional install (or removing the earlier unconditional install if you truly only want it on amd64).

Suggested change
ACCEPT_EULA=Y apt-get install -y msodbcsql18 mssql-tools unixodbc-dev \
ACCEPT_EULA=Y apt-get install -y msodbcsql18 mssql-tools \

Copilot uses AI. Check for mistakes.
&& echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> /etc/profile.d/sqltools.sh; \
fi \
&& apt-get install -y azure-cli \
&& echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> /etc/profile.d/sqltools.sh \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

Expand All @@ -52,6 +51,10 @@ RUN apt-get update \
libpulse0 \
&& rm -rf /var/lib/apt/lists/*

# Install Rust toolchain
RUN curl -sSf https://sh.rustup.rs | sh -s -- -y
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The curl pipeline that executes https://sh.rustup.rs via sh introduces a supply chain risk by running remote, unauthenticated code as part of the image build. If the remote endpoint or the connection is compromised, an attacker could execute arbitrary code in the devcontainer build context, potentially accessing checked-out source and developer credentials mounted into the container. Prefer installing Rust via a pinned package or, if you must use this installer, download the script with a fixed version and verify its integrity (e.g., checksum/signature) before execution instead of piping it directly to sh.

Copilot uses AI. Check for mistakes.
ENV PATH="/root/.cargo/bin:${PATH}"
Comment on lines +54 to +56
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rust is installed under /root via rustup and PATH is set to /root/.cargo/bin, but the container later switches to USER vscode. Since /root is typically not traversable by non-root users, cargo/rustc will likely be unavailable when postCreate runs uv pip install ... as vscode. Install Rust in a location accessible to vscode (e.g., install rustup as the vscode user or set CARGO_HOME/RUSTUP_HOME under /usr/local or /opt with appropriate permissions). Also avoid the curl | sh pipeline without pipefail/checksum verification; a curl failure can be masked and leave Rust uninstalled while the build still succeeds.

Suggested change
# Install Rust toolchain
RUN curl -sSf https://sh.rustup.rs | sh -s -- -y
ENV PATH="/root/.cargo/bin:${PATH}"
# Install Rust toolchain into a shared location accessible to all users
ENV RUSTUP_HOME="/usr/local/rustup"
ENV CARGO_HOME="/usr/local/cargo"
RUN set -euo pipefail \
&& mkdir -p "${RUSTUP_HOME}" "${CARGO_HOME}" \
&& chmod -R 0755 "${RUSTUP_HOME}" "${CARGO_HOME}" \
&& curl -sSf https://sh.rustup.rs -o /tmp/rustup-init.sh \
&& sh /tmp/rustup-init.sh -y --no-modify-path \
&& rm -f /tmp/rustup-init.sh
ENV PATH="/usr/local/cargo/bin:${PATH}"

Copilot uses AI. Check for mistakes.

# Install uv system-wide and create pyrit-dev venv
RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
&& mv /root/.local/bin/uv /usr/local/bin/uv \
Expand Down
1 change: 0 additions & 1 deletion .devcontainer/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
services:
devcontainer:
platform: linux/amd64
build:
context: ..
dockerfile: .devcontainer/Dockerfile
Expand Down