# Security > Non-root execution, secret injection lifecycle, setuid removal, cosign signing, and supply chain hardening in workspace images. Workspace images follow defense-in-depth principles. Every layer adds a security boundary. ## Non-Root Execution Agents run as the `agent` user (UID 1000), never as root. The container user is switched in the Dockerfile's final stage: ```dockerfile USER agent ``` All workspace directories (`/workspace`, `/opt/agentic`) are owned by the agent user with minimal permissions. ## SetUID/SetGID Removal All setuid and setgid binaries are stripped during the build (excluding `/usr/local` where toolchain binaries live): ```dockerfile RUN find / -path /usr/local -prune -o -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true ``` This prevents privilege escalation even if an agent executes a compromised binary. ## Secret Injection Lifecycle (ADR-024) Secrets (API keys, tokens) are never baked into images. The injection lifecycle: 1. **Setup phase**: Orchestrator injects secrets via sidecar proxy or environment variables 2. **Execution phase**: Agent runs with access to injected secrets 3. **Cleanup phase**: Secrets are revoked/cleared before container destruction The sidecar proxy (ADR-022) is the preferred injection method: the agent process never sees raw API keys. The proxy intercepts outbound requests and adds authentication headers. ## Vendor Telemetry Disabled All vendor phone-home telemetry is disabled by default: | Variable | Purpose | |----------|---------| | `DISABLE_TELEMETRY=1` | Disable Anthropic's Statsig usage metrics | | `DISABLE_ERROR_REPORTING=1` | Disable Anthropic's Sentry error reporting | | `RTK_TELEMETRY_DISABLED=1` | Disable RTK analytics | Only the explicitly configured OTel export (to your own collector) sends data out. ## Supply Chain Security ### Image Signing Every published image is signed with [cosign](https://github.com/sigstore/cosign) using keyless OIDC (Sigstore). Verify signatures: ```bash cosign verify ghcr.io/agentparadise/agentic-workspace-claude-cli:latest ``` ### SLSA Provenance + SBOM Images include SLSA provenance attestations and Software Bill of Materials (SBOM) generated by BuildKit. These are attached as OCI artifacts alongside the image. ### Action SHA Pinning All GitHub Actions in the build workflow are pinned to commit SHAs, preventing supply chain attacks via mutable tags. ## Read-Only Root Filesystem In production deployments, the root filesystem is mounted read-only. Writable paths are limited to: - `/workspace`: Agent working directory - `/tmp`: Temporary files - `/home/agent`: Agent home (tmpfs mount) This prevents agents from modifying system binaries or installing persistent backdoors.