惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cisco Talos Blog
Cisco Talos Blog
AI
AI
Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
SecWiki News
SecWiki News
AWS News Blog
AWS News Blog
V2EX - 技术
V2EX - 技术
I
Intezer
K
Kaspersky official blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Attack and Defense Labs
Attack and Defense Labs
T
Threatpost
N
News and Events Feed by Topic
D
DataBreaches.Net
Hacker News: Ask HN
Hacker News: Ask HN
S
Secure Thoughts
A
About on SuperTechFans
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
美团技术团队
N
News | PayPal Newsroom
W
WeLiveSecurity
S
Schneier on Security
人人都是产品经理
人人都是产品经理
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Google DeepMind News
Google DeepMind News
The Cloudflare Blog
P
Proofpoint News Feed
O
OpenAI News
TaoSecurity Blog
TaoSecurity Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Google DeepMind News
Google DeepMind News
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Google Online Security Blog
Google Online Security Blog
Cyberwarzone
Cyberwarzone
Scott Helme
Scott Helme
T
Tor Project blog
GbyAI
GbyAI
C
Cybersecurity and Infrastructure Security Agency CISA
Stack Overflow Blog
Stack Overflow Blog
L
LINUX DO - 热门话题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
C
CERT Recently Published Vulnerability Notes
爱范儿
爱范儿
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Y
Y Combinator Blog
L
Lohrmann on Cybersecurity
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - Franky
P
Privacy & Cybersecurity Law Blog

ashishb.net

A day in Luxembourg - the richest country in the world I was asked to install malware during a fake interview Book summary: Breakneck - China's quest to engineer the future by Dan Wang Book summary: How to Teach Your Baby to Read Book Summary: The Discontented Little Baby Book by Pamela Douglas Introducing Amazing Sandbox - run third-party tools and AI agents securely on your machine Why software outsourcing gets a bad reputation? Book summary: The Natural Baby Sleep Solution by Polly Moore A day in Antwerp, Belgium Journey of online influencers Two days in Brussels, Belgium Shortcuts - when we love them and when we don't A visit to Rakhigarhi Three days in overhyped Paris Empty Japan, crowded Tokyo The real lock-in in GitHub is not the code, but the stars 11-day Norwegian Breakaway East Caribbean cruise Sanskrit and Sri Lankan Air Force Use REST with Open API The Achilles heel of American capitalism Costa Rica in 4 days At a juice stall in Sri Lanka A short stay at Warsaw, Poland Best practices for using Python & uv inside Docker Two days in Vilnius, Lithuania How IntelliJ IDEs waste disk space Pregnancy Why there aren't many digital nomads from India Two days in Riga, Latvia Family Ties in Your DNA: Some relatives are closer than others Doctors per capita Two days in Tallinn, Estonia Ship tools as standalone static binaries Made in America Two days in Helsinki, Finland Maintaining an Android app is a lot of work The land of good deals Two days in Oslo, Norway FastAPI vs Flask performance comparison Google Search is losing to Perplexity Two days in Dublin, Ireland Continuous integration ≠ Continuous delivery World's simplest project success heuristic London in 5 days It is hard to recommend Python in production Inflation, IRS, Credit cards, and Vendors Temu and the Chinese approach Things to do in Miami Florida Revenue vs Cost Axis Language learning as an adult The unanchored babies of the green card limbo Price variance in the United States A day in Louisville, Kentucky A surprisingly positive experience with Air India Unhospitable Airports Android: Don't use stale views USA = Union of Sales and Advertisement A day in Nashville, Tennessee Minimize Javascript in your codebase A day in Birmingham, Alabama In defense of ad-supported products Real vs artificial world The science behind Punjabi singers Hiking Mt. Fuji The Indian startup bubble is insane Repairing database on the fly for millions of users Book Summary: One up on Wall Street by Peter Lynch It is hard to recommend Google Cloud At the Prague airport Kyoto in three days Migrating from WordPress to Hugo Book summary: Sick Societies by Robert B. Edgerton Statistical outcomes require statistical games Illegal immigrants to Europe via Cairo Tokyo in three days Mobs are Status Games Writing Script matters as much as the spoken language Sri Lanka in 5 days LLMs: great for business but bad business Book Summary: Safe Haven by Mark Spitznagel Mac shortcut for typing Avagraha symbol On a bus with an asylum seeker Nicaragua in 5 days When to commit Generated code to version control Why I always buy a local SIM in a foreign country Use Makefile for Android Four days in Guadalajara, Mexico Android Navigation: Up vs Back Hotels vs Airbnb vs Hostels Currency issues in Argentina Abstractions should be deep not wide Some data on podcasting Always support compressed response in an API service A day in El Calafate - Patagonia, Argentina Hermetic docker images with Hugging Face machine learning models American Elections The sound of "ch" API services should always have usage Limits Hiking in El Chaltén - trekking capital of Argentina Natural Laws vs Man-made Laws
To keep your machine secure, run third-party tools inside Docker
Ashish Bhatia · 2025-08-09 · via ashishb.net

GitHub Repo stars

Let’s say you are running a linter like HTMLhint. It has 27 dependencies, any of those could be malicious. So, when you do npm install -g htmlhint, you are taking a huge risk. And this is not a theoretical risk.

Even big companies like Amazon are falling for it.

A linter, for example, needs just read-only access to the all the files that you want to lint.

  • It does not need access to files outside the current directory
  • It does not need Internet access
  • It does not need to modify any files either, read-only access is sufficient

So, run it inside Docker to mitigate the risk.

Using Docker, you can enforce the following restrictions:

  • ✅ No ability to send data over the Internet
  • ✅ No access to any files outside the current directory
  • ✅ Read-only access to files inside the current directory
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# network=none => no network access
# -v ${PWD}:${PWD} => mount current directory to the same path inside the container
# ro => read-only filesystem access
# Build:
# docker build -t htmlhint .
# Run:
# docker run --rm --network=none -v ${PWD}:${PWD}:ro htmlhint ${PWD}
FROM node:24-alpine3.21
RUN npm install -g htmlhint
ENTRYPOINT ["htmlhint"]

This drastically reduces the attack surface of the code.

You can do this with pretty much any tool.

Consider golangci-lint, the famous meta-linter for Go language.

You can run it inside docker with the following command.

1
2
3
$ docker run --rm --network=none -v ${PWD}:${PWD}:ro --workdir=${PWD}
  golangci/golangci-lint:latest-alpine golangci-lint run
...

Or you can do a read/write mount for a formatting tool to let it format/modify the files.

1
2
3
$ docker run --rm --network=none -v ${PWD}:${PWD} --workdir=${PWD}
  golangci/golangci-lint:latest-alpine golangci-lint run --fix
...

I even recommend this technique for running tools on GitHub Actions and have started using this extensively in GitHub Actions Boilerplate Generator.

Update Oct 2025

After multiple publications of malicious packages on npm, I have switched to using Docker for running npm as well.

1
alias npm='docker run --rm -it -v ${PWD}:${PWD} --net=host --workdir=${PWD} node:25-bookworm-slim npm'

Update Dec 2025

I open-sourced my sandbox that runs tools inside Docker-based sandbox.

I use it to run linters and similar tools.

1
2
3
4
$ alias mdl='asb gem exec mdl'
...
$ alias yamllint='asb uvx yamllint'
...