evstack · tac0turtle · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026 · Mar 4, 2026
diff --git a/Makefile b/Makefile
@@ -3,6 +3,7 @@ include ./scripts/test.mk
 include ./scripts/proto.mk
 include ./scripts/utils.mk
 include ./scripts/run.mk
+include ./scripts/security.mk
 include ./tools/tools.mk
 
 # Sets the default make target to `build`.

diff --git a/apps/evm/Dockerfile b/apps/evm/Dockerfile
@@ -17,10 +17,16 @@ FROM alpine:3.22.2
 #hadolint ignore=DL3018
 RUN apk --no-cache add ca-certificates curl
 
-WORKDIR /root
+RUN addgroup -g 1000 ev-node && \
+    adduser -u 1000 -G ev-node -s /bin/sh -D ev-node
+
+WORKDIR /home/ev-node
 
 COPY --from=build-env /src/apps/evm/evm /usr/bin/evm
 COPY apps/evm/entrypoint.sh /usr/bin/entrypoint.sh
-RUN chmod +x /usr/bin/entrypoint.sh
+RUN chmod +x /usr/bin/entrypoint.sh && \
+    chown -R ev-node:ev-node /home/ev-node
+
+USER ev-node
 
 ENTRYPOINT ["/usr/bin/entrypoint.sh"]
diff --git a/apps/testapp/Dockerfile b/apps/testapp/Dockerfile
@@ -1,7 +1,7 @@
 FROM golang:1.25 AS base

 #hadolint ignore=DL3018
 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    build-essential \
    ca-certificates \
@@ -27,8 +27,14 @@
 #
 FROM base
 
+RUN groupadd -g 1000 ev-node && \
+    useradd -u 1000 -g ev-node -s /bin/sh -m ev-node
+
 COPY --from=builder /go/bin/testapp /usr/bin
 
-WORKDIR /apps
+WORKDIR /home/ev-node
+RUN chown -R ev-node:ev-node /home/ev-node
+
+USER ev-node
 
 ENTRYPOINT ["testapp"]
diff --git a/scripts/security.mk b/scripts/security.mk
@@ -0,0 +1,43 @@
+# security.mk - Security scanning with Trivy (https://trivy.dev)
+
+TRIVY_IMAGE := aquasec/trivy:latest
+TRIVY_SEVERITY ?= CRITICAL,HIGH
+TRIVY_CACHE_VOLUME := trivy-cache
+
+# Docker images to scan (space-separated, override or extend as needed)
+SCAN_IMAGES ?= evstack:local-dev
+
+# Common docker run args for Trivy
+TRIVY_RUN := docker run --rm \
+	-v $(TRIVY_CACHE_VOLUME):/root/.cache/ \
+	-e TRIVY_SEVERITY=$(TRIVY_SEVERITY)
+
+## trivy-scan: Run all Trivy security scans (filesystem + Docker images)
+trivy-scan: trivy-scan-fs trivy-scan-image
+.PHONY: trivy-scan
+
+## trivy-scan-fs: Scan repo for dependency vulnerabilities, misconfigs, and secrets
+trivy-scan-fs:
+	@echo "--> Scanning repository filesystem with Trivy"
+	@$(TRIVY_RUN) \
+		-v $(CURDIR):/workspace \
+		$(TRIVY_IMAGE) \
+		fs --scanners vuln,misconfig,secret \
+		--severity $(TRIVY_SEVERITY) \
+		/workspace
+	@echo "--> Filesystem scan complete"
+.PHONY: trivy-scan-fs
+
+## trivy-scan-image: Scan built Docker images for vulnerabilities
+trivy-scan-image:
+	@echo "--> Scanning Docker images with Trivy"
+	@for img in $(SCAN_IMAGES); do \
+		echo "--> Scanning image: $$img"; \
+		$(TRIVY_RUN) \
+			-v /var/run/docker.sock:/var/run/docker.sock \
+			$(TRIVY_IMAGE) \
+			image --severity $(TRIVY_SEVERITY) \
+			$$img; \
+	done
+	@echo "--> Image scan complete"
+.PHONY: trivy-scan-image
diff --git a/tools/local-da/Dockerfile b/tools/local-da/Dockerfile
@@ -19,9 +19,15 @@ FROM alpine:3.22.2
 #hadolint ignore=DL3018
 RUN apk --no-cache add ca-certificates curl
 
-WORKDIR /root
+RUN addgroup -g 1000 ev-node && \
+    adduser -u 1000 -G ev-node -s /bin/sh -D ev-node
+
+WORKDIR /home/ev-node
+RUN chown -R ev-node:ev-node /home/ev-node
 
 COPY --from=build-env /src/build/local-da /usr/bin/local-da
 
+USER ev-node
+
 ENTRYPOINT ["/usr/bin/local-da"]
 CMD ["-listen-all"]