Hi
When using the new Unified Deployment beta, the Bitwarden Server runs based on the default ASP.NET Core Docker image. Therefore, one can connect to the container and start a shell session, e.g. via docker exec -it bitwarden bash
. This enables a whole set of attack vectors.
Since the Bitwarden Server seems to be a more or less common .NET app, it would be great to offer a distroless / chiseled Bitwarden Docker image, e.g. bitwarden/self-host:beta-chiseled
as Microsoft provides the corresponding ASP.NET Core base images, too (e.g. mcr.microsoft.com/dotnet/aspnet:9.0.0-noble-chiseled
). Here you find more information from Microsoft in a dedicated blog post.
I’ve migrated several of my own apps to use the chiseled base images and it works nicely
Thx for considering this!