Merge pull request #1304 from adamoutler/hadolint-fixes

Fix Hadolint Linting Issues Across Dockerfiles

.devcontainer/Dockerfile

@@ -35,7 +35,7 @@ RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev o
 # Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy 
 # into hardened stage without worrying about permissions and keeps image size small. Keeping the commands
 # together makes for a slightly smaller image size.
-RUN pip install -r /tmp/requirements.txt && \
+RUN pip install --no-cache-dir -r /tmp/requirements.txt && \
     chmod -R u-rwx,g-rwx /opt
 
 # second stage is the main runtime stage with just the minimum required to run the application
@@ -71,7 +71,7 @@ ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
 ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
 ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
 ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
-ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+ENV LOG_CRON=${NETALERTX_LOG}/cron.log
 ENV LOG_NGINX_ERROR=${NETALERTX_LOG}/nginx-error.log
 
 # System Services configuration files
@@ -81,11 +81,11 @@ ENV SYSTEM_SERVICES_SCRIPTS=${SYSTEM_SERVICES}/scripts
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
 ENV SYSTEM_NGINX_CONFIG_TEMPLATE=${SYSTEM_NGINX_CONFIG}/netalertx.conf.template
+ENV SYSTEM_SERVICES_CONFIG_CRON=${SYSTEM_SERVICES_CONFIG}/cron
 ENV SYSTEM_SERVICES_ACTIVE_CONFIG=/tmp/nginx/active-config
 ENV SYSTEM_SERVICES_ACTIVE_CONFIG_FILE=${SYSTEM_SERVICES_ACTIVE_CONFIG}/nginx.conf
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
-ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
 ENV SYSTEM_SERVICES_RUN=/tmp/run
 ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
@@ -119,7 +119,7 @@ ENV LANG=C.UTF-8
 RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \
     nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
     sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx shadow && \
+    nginx supercronic shadow && \
     rm -Rf /var/cache/apk/*  && \
     rm -Rf /etc/nginx && \
     addgroup -g 20211 ${NETALERTX_GROUP} && \
@@ -150,26 +150,26 @@ COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 # This is done after the copy of the venv to ensure the venv is in place
 # although it may be quicker to do it before the copy, it keeps the image
 # layers smaller to do it after.
-RUN if [ -f .VERSION ]; then \
-        cp .VERSION ${NETALERTX_APP}/.VERSION; \
+RUN if [ -f '.VERSION' ]; then \
+        cp '.VERSION' "${NETALERTX_APP}/.VERSION"; \
     else \
-        echo "DEVELOPMENT 00000000" > ${NETALERTX_APP}/.VERSION; \
+        echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/.VERSION"; \
     fi && \
-    chown 20212:20212 ${NETALERTX_APP}/.VERSION && \
-    apk add libcap && \
+    chown 20212:20212 "${NETALERTX_APP}/.VERSION" && \
+    apk add --no-cache libcap && \
     setcap cap_net_raw+ep /bin/busybox && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
     setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip $(readlink -f ${VIRTUAL_ENV_BIN}/python) && \
+    setcap cap_net_raw,cap_net_admin+eip "$(readlink -f ${VIRTUAL_ENV_BIN}/python)" && \
     /bin/sh /build/init-nginx.sh && \
     /bin/sh /build/init-php-fpm.sh && \
-    /bin/sh /build/init-crond.sh && \
+    /bin/sh /build/init-cron.sh && \
     /bin/sh /build/init-backend.sh && \
     rm -rf /build && \
     apk del libcap && \
-    date +%s > ${NETALERTX_FRONT}/buildtimestamp.txt
+    date +%s > "${NETALERTX_FRONT}/buildtimestamp.txt"
 
 
 ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
@@ -186,13 +186,15 @@ ENV UMASK=0077
 # AI may claim this is stupid, but it's actually least possible permissions as 
 # read-only user cannot login, cannot sudo, has no write permission, and cannot even
 # read the files it owns. The read-only user is ownership-as-a-lock hardening pattern.
-RUN addgroup -g 20212 ${READ_ONLY_GROUP} && \
-    adduser -u 20212 -G ${READ_ONLY_GROUP} -D -h /app ${READ_ONLY_USER}
+RUN addgroup -g 20212 "${READ_ONLY_GROUP}" && \
+    adduser -u 20212 -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"
 
 
 # reduce permissions to minimum necessary for all NetAlertX files and folders
 # Permissions 005 and 004 are not typos, they enable read-only. Everyone can
 # read the read-only files, and nobody can write to them, even the readonly user.
+
+# hadolint ignore=SC2114
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     chmod -R 004 ${READ_ONLY_FOLDERS} && \
     find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
@@ -211,7 +213,7 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     /srv /media && \
     sed -i "/^\(${READ_ONLY_USER}\|${NETALERTX_USER}\):/!d" /etc/passwd && \
     sed -i "/^\(${READ_ONLY_GROUP}\|${NETALERTX_GROUP}\):/!d" /etc/group && \
-    echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    printf '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
 
 USER netalertx
 
@@ -230,6 +232,7 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
 # Open and wide to avoid permission issues during development allowing max
 # flexibility.
 
+# hadolint ignore=DL3006
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app
 
@@ -243,9 +246,14 @@ ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
 USER root
 # Install common tools, create user, and set up sudo
+
 RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
     pytest-cov zsh alpine-zsh-config shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx \
-    docker-cli-compose
+    docker-cli-compose shellcheck
+
+# Install hadolint (Dockerfile linter)
+RUN curl -L https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
+    chmod +x /usr/local/bin/hadolint
 
 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
     cp -a /usr/lib/php83/modules/. /services/php/modules/ && \

.devcontainer/devcontainer.json

@@ -75,7 +75,9 @@
         "alexcvzz.vscode-sqlite",
         "mkhl.shfmt",
         "charliermarsh.ruff",
-        "ms-python.flake8"
+        "ms-python.flake8",
+        "exiasr.hadolint",
+        "timonwong.shellcheck"
       ],
       "settings": {
         "terminal.integrated.cwd": "${containerWorkspaceFolder}",

.devcontainer/resources/devcontainer-Dockerfile

@@ -7,6 +7,7 @@
 # Open and wide to avoid permission issues during development allowing max
 # flexibility.
 
+# hadolint ignore=DL3006
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app
 
@@ -20,9 +21,14 @@ ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
 USER root
 # Install common tools, create user, and set up sudo
+
 RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
     pytest-cov zsh alpine-zsh-config shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx \
-    docker-cli-compose
+    docker-cli-compose shellcheck
+
+# Install hadolint (Dockerfile linter)
+RUN curl -L https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
+    chmod +x /usr/local/bin/hadolint
 
 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
     cp -a /usr/lib/php83/modules/. /services/php/modules/ && \

.devcontainer/scripts/generate-configs.sh

@@ -7,27 +7,28 @@
 # the final .devcontainer/Dockerfile used by the devcontainer.
 
 echo "Generating .devcontainer/Dockerfile"
-SCRIPT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+SCRIPT_PATH=$(set -- "$0"; dirname -- "$1")
+SCRIPT_DIR=$(cd "$SCRIPT_PATH" && pwd -P)
 DEVCONTAINER_DIR="${SCRIPT_DIR%/scripts}"
 ROOT_DIR="${DEVCONTAINER_DIR%/.devcontainer}"
 
 OUT_FILE="${DEVCONTAINER_DIR}/Dockerfile"
 
-echo "Adding base Dockerfile from $ROOT_DIR..." 
+echo "Adding base Dockerfile from $ROOT_DIR and merging to devcontainer-Dockerfile" 
+{
 
-echo "# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh" > "$OUT_FILE"
-echo "" >> "$OUT_FILE"
-echo "# ---/Dockerfile---" >> "$OUT_FILE"
+echo "# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh"
+echo ""
+echo "# ---/Dockerfile---" 
 
-cat "${ROOT_DIR}/Dockerfile" >> "$OUT_FILE"
+cat "${ROOT_DIR}/Dockerfile" 
 
-echo "" >> "$OUT_FILE"
-echo "# ---/resources/devcontainer-Dockerfile---" >> "$OUT_FILE"
-echo "" >> "$OUT_FILE"
+echo ""
+echo "# ---/resources/devcontainer-Dockerfile---"
+echo ""
+cat "${DEVCONTAINER_DIR}/resources/devcontainer-Dockerfile"
+} > "$OUT_FILE"
 
-echo "Adding devcontainer-Dockerfile from $DEVCONTAINER_DIR/resources..."
-cat "${DEVCONTAINER_DIR}/resources/devcontainer-Dockerfile" >> "$OUT_FILE"
-
-echo "Generated $OUT_FILE using root dir $ROOT_DIR" >&2
+echo "Generated $OUT_FILE using root dir $ROOT_DIR"
 
 echo "Done."

.devcontainer/scripts/setup.sh

@@ -16,7 +16,6 @@
 
 SOURCE_DIR=${SOURCE_DIR:-/workspaces/NetAlertX}
 PY_SITE_PACKAGES="${VIRTUAL_ENV:-/opt/venv}/lib/python3.12/site-packages"
-SOURCE_SERVICES_DIR="${SOURCE_DIR}/install/production-filesystem/services"
 
 LOG_FILES=(
   LOG_APP
@@ -26,7 +25,7 @@ LOG_FILES=(
   LOG_EXECUTION_QUEUE
   LOG_APP_PHP_ERRORS
   LOG_IP_CHANGES
-  LOG_CROND
+  LOG_CRON
   LOG_REPORT_OUTPUT_TXT
   LOG_REPORT_OUTPUT_HTML
   LOG_REPORT_OUTPUT_JSON

.github/copilot-instructions.md

@@ -83,3 +83,9 @@ Backend loop phases (see `server/__main__.py` and `server/plugin.py`): `once`, `
 - Be sure to offer choices when appropriate.
 - Always understand the intent of the user's request and undo/redo as needed.
 - Above all, use the simplest possible code that meets the need so it can be easily audited and maintained.
+- Always leave logging enabled. If there is a possiblity it will be difficult to debug with current logging, add more logging.
+- Always run the testFailure tool before executing any tests to gather current failure information and avoid redundant runs.
+- Always prioritize using the appropriate tools in the environment first. As an example if a test is failing use `testFailure` then `runTests`. Never `runTests` first. 
+- Docker tests take an extremely long time to run.  Avoid changes to docker or tests until you've examined the exisiting testFailures and runTests results.
+- Environment tools are designed specifically for your use in this project and running them in this order will give you the best results. 
+

.github/workflows/code_checks.yml

@@ -84,7 +84,7 @@ jobs:
         continue-on-error: true
         run: |
           echo "🔍 Linting Dockerfiles..."
-          /tmp/hadolint Dockerfile* || true
+          /tmp/hadolint --config .hadolint.yaml Dockerfile* || true
 
   docker-tests:
     runs-on: ubuntu-latest
@@ -95,5 +95,5 @@ jobs:
       - name: Run Docker-based tests
         run: |
           echo "🐳 Running Docker-based tests..."
-          chmod +x ./run_docker_tests.sh
-          ./run_docker_tests.sh
+          chmod +x ./test/docker_tests/run_docker_tests.sh
+          ./test/docker_tests/run_docker_tests.sh

.hadolint.yaml

@@ -0,0 +1,2 @@
+ignored:
+  - DL3018

Dockerfile

@@ -32,7 +32,7 @@ RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev o
 # Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy 
 # into hardened stage without worrying about permissions and keeps image size small. Keeping the commands
 # together makes for a slightly smaller image size.
-RUN pip install -r /tmp/requirements.txt && \
+RUN pip install --no-cache-dir -r /tmp/requirements.txt && \
     chmod -R u-rwx,g-rwx /opt
 
 # second stage is the main runtime stage with just the minimum required to run the application
@@ -68,7 +68,7 @@ ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
 ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
 ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
 ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
-ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+ENV LOG_CRON=${NETALERTX_LOG}/cron.log
 ENV LOG_NGINX_ERROR=${NETALERTX_LOG}/nginx-error.log
 
 # System Services configuration files
@@ -78,11 +78,11 @@ ENV SYSTEM_SERVICES_SCRIPTS=${SYSTEM_SERVICES}/scripts
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
 ENV SYSTEM_NGINX_CONFIG_TEMPLATE=${SYSTEM_NGINX_CONFIG}/netalertx.conf.template
+ENV SYSTEM_SERVICES_CONFIG_CRON=${SYSTEM_SERVICES_CONFIG}/cron
 ENV SYSTEM_SERVICES_ACTIVE_CONFIG=/tmp/nginx/active-config
 ENV SYSTEM_SERVICES_ACTIVE_CONFIG_FILE=${SYSTEM_SERVICES_ACTIVE_CONFIG}/nginx.conf
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
-ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
 ENV SYSTEM_SERVICES_RUN=/tmp/run
 ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
@@ -116,7 +116,7 @@ ENV LANG=C.UTF-8
 RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \
     nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
     sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx shadow && \
+    nginx supercronic shadow && \
     rm -Rf /var/cache/apk/*  && \
     rm -Rf /etc/nginx && \
     addgroup -g 20211 ${NETALERTX_GROUP} && \
@@ -147,26 +147,26 @@ COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 # This is done after the copy of the venv to ensure the venv is in place
 # although it may be quicker to do it before the copy, it keeps the image
 # layers smaller to do it after.
-RUN if [ -f .VERSION ]; then \
-        cp .VERSION ${NETALERTX_APP}/.VERSION; \
+RUN if [ -f '.VERSION' ]; then \
+        cp '.VERSION' "${NETALERTX_APP}/.VERSION"; \
     else \
-        echo "DEVELOPMENT 00000000" > ${NETALERTX_APP}/.VERSION; \
+        echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/.VERSION"; \
     fi && \
-    chown 20212:20212 ${NETALERTX_APP}/.VERSION && \
-    apk add libcap && \
+    chown 20212:20212 "${NETALERTX_APP}/.VERSION" && \
+    apk add --no-cache libcap && \
     setcap cap_net_raw+ep /bin/busybox && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
     setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip $(readlink -f ${VIRTUAL_ENV_BIN}/python) && \
+    setcap cap_net_raw,cap_net_admin+eip "$(readlink -f ${VIRTUAL_ENV_BIN}/python)" && \
     /bin/sh /build/init-nginx.sh && \
     /bin/sh /build/init-php-fpm.sh && \
-    /bin/sh /build/init-crond.sh && \
+    /bin/sh /build/init-cron.sh && \
     /bin/sh /build/init-backend.sh && \
     rm -rf /build && \
     apk del libcap && \
-    date +%s > ${NETALERTX_FRONT}/buildtimestamp.txt
+    date +%s > "${NETALERTX_FRONT}/buildtimestamp.txt"
 
 
 ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
@@ -183,13 +183,15 @@ ENV UMASK=0077
 # AI may claim this is stupid, but it's actually least possible permissions as 
 # read-only user cannot login, cannot sudo, has no write permission, and cannot even
 # read the files it owns. The read-only user is ownership-as-a-lock hardening pattern.
-RUN addgroup -g 20212 ${READ_ONLY_GROUP} && \
-    adduser -u 20212 -G ${READ_ONLY_GROUP} -D -h /app ${READ_ONLY_USER}
+RUN addgroup -g 20212 "${READ_ONLY_GROUP}" && \
+    adduser -u 20212 -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"
 
 
 # reduce permissions to minimum necessary for all NetAlertX files and folders
 # Permissions 005 and 004 are not typos, they enable read-only. Everyone can
 # read the read-only files, and nobody can write to them, even the readonly user.
+
+# hadolint ignore=SC2114
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     chmod -R 004 ${READ_ONLY_FOLDERS} && \
     find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
@@ -208,7 +210,7 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     /srv /media && \
     sed -i "/^\(${READ_ONLY_USER}\|${NETALERTX_USER}\):/!d" /etc/passwd && \
     sed -i "/^\(${READ_ONLY_GROUP}\|${NETALERTX_GROUP}\):/!d" /etc/group && \
-    echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    printf '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
 
 USER netalertx
 

Dockerfile.debian

@@ -72,7 +72,7 @@ ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
 ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
 ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
 ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
-ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+ENV LOG_CRON=${NETALERTX_LOG}/cron.log
 ENV LOG_NGINX_ERROR=${NETALERTX_LOG}/nginx-error.log
 
 # System Services configuration files
@@ -132,25 +132,29 @@ COPY --chmod=775 --chown=${USER_ID}:${USER_GID} . ${INSTALL_DIR}/
 
 
 # ❗ IMPORTANT - if you modify this file modify the /install/install_dependecies.debian.sh file as well ❗ 
-RUN apt update && apt-get install -y \
+# hadolint ignore=DL3008,DL3027
+RUN apt-get update && apt-get install -y --no-install-recommends \
     tini snmp ca-certificates curl libwww-perl arp-scan sudo gettext-base \
     nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools  \
     python3 python3-dev iproute2 nmap python3-pip zip git systemctl usbutils traceroute nbtscan openrc \
-    busybox nginx nginx-core mtr python3-venv
+    busybox nginx nginx-core mtr python3-venv && \
+    rm -rf /var/lib/apt/lists/*
 
 # While php8.3 is in debian bookworm repos, php-fpm is not included so we need to add sury.org repo
 # (Ondřej Surý maintains php packages for debian. This is temp until debian includes php-fpm in their
 # repos. Likely it will be in Debian Trixie.).  This keeps the image up-to-date with the alpine version.
+# hadolint ignore=DL3008
 RUN apt-get install -y --no-install-recommends \
     apt-transport-https \
     ca-certificates \
     lsb-release \
     wget && \
-    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
+    wget -q -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
     echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list && \
     apt-get update && \
-    apt-get install -y php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common php8.3-curl php8.3-cgi && \
-    ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 # make it compatible with alpine version
+    apt-get install -y --no-install-recommends php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common php8.3-curl php8.3-cgi && \
+    ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 && \
+    rm -rf /var/lib/apt/lists/* # make it compatible with alpine version
 
 # Setup virtual python environment and use pip3 to install packages
 RUN python3 -m venv ${VIRTUAL_ENV} && \

back/cron_script.sh

@@ -1,14 +1,17 @@
 #!/bin/bash
 export INSTALL_DIR=/app
 
-LOG_FILE="${INSTALL_DIR}/log/execution_queue.log"
-
-# Check if there are any entries with cron_restart_backend
-if grep -q "cron_restart_backend" "$LOG_FILE"; then
-  # Restart python application using s6
-  s6-svc -r /var/run/s6-rc/servicedirs/netalertx
-  echo 'done'
+if [ -f "${LOG_EXECUTION_QUEUE}" ] && grep -q "cron_restart_backend" "${LOG_EXECUTION_QUEUE}"; then
+  echo "$(date): Restarting backend triggered by cron_restart_backend"
+  killall python3 || echo "killall python3 failed or no process found"
+  sleep 2
+  /services/start-backend.sh &
 
   # Remove all lines containing cron_restart_backend from the log file
-  sed -i '/cron_restart_backend/d' "$LOG_FILE"
+  # Atomic replacement with temp file. grep returns 1 if no lines selected (file becomes empty), which is valid here.
+  grep -v "cron_restart_backend" "${LOG_EXECUTION_QUEUE}" > "${LOG_EXECUTION_QUEUE}.tmp"
+  RC=$?
+  if [ $RC -eq 0 ] || [ $RC -eq 1 ]; then
+    mv "${LOG_EXECUTION_QUEUE}.tmp" "${LOG_EXECUTION_QUEUE}"
+  fi
 fi

front/php/components/logs_defaults.json

@@ -107,11 +107,11 @@
         "buttons": [
             {
                 "labelStringCode": "Maint_PurgeLog",
-                "event": "logManage('crond.log', 'cleanLog')"
+                "event": "logManage('cron.log', 'cleanLog')"
             }
         ],
-    "fileName": "crond.log",
-    "filePath": "__NETALERTX_LOG__/crond.log",
+    "fileName": "cron.log",
+    "filePath": "__NETALERTX_LOG__/cron.log",
         "textAreaCssClass": "logs logs-small"
     }
 ]

front/php/server/util.php

@@ -274,7 +274,7 @@ function cleanLog($logFile)
 
   $path = "";
 
-  $allowedFiles = ['app.log', 'app_front.log', 'IP_changes.log', 'stdout.log', 'stderr.log', 'app.php_errors.log', 'execution_queue.log', 'db_is_locked.log', 'nginx-error.log', 'crond.log'];
+  $allowedFiles = ['app.log', 'app_front.log', 'IP_changes.log', 'stdout.log', 'stderr.log', 'app.php_errors.log', 'execution_queue.log', 'db_is_locked.log', 'nginx-error.log', 'cron.log'];
   
   if(in_array($logFile, $allowedFiles))
   {

install/debian12/install.debian12.sh

@@ -24,7 +24,7 @@ apt-get install sudo -y
 apt-get install -y git
 
 # Clean the directory
-rm -R $INSTALL_DIR/
+rm -R ${INSTALL_DIR:?}/
 
 # Clone the application repository
 git clone https://github.com/jokob-sk/NetAlertX "$INSTALL_DIR/"

install/debian12/install_dependencies.debian12.sh

@@ -34,6 +34,8 @@ sudo phpenmod -v 8.2 sqlite3
 # setup virtual python environment so we can use pip3 to install packages
 apt-get install python3-venv -y
 python3 -m venv /opt/venv
+# Shell check doesn't recognize source command because it's not in the repo, it is in the system at runtime
+# shellcheck disable=SC1091
 source /opt/venv/bin/activate
 
 update-alternatives --install /usr/bin/python python /usr/bin/python3 10

install/debian12/start.debian12.sh

@@ -175,6 +175,8 @@ nginx -t || { echo "[INSTALL] nginx config test failed"; exit 1; }
 # sudo systemctl restart nginx
 
 #  Activate the virtual python environment
+# Shell check doesn't recognize source command because it's not in the repo, it is in the system at runtime
+# shellcheck disable=SC1091
 source /opt/venv/bin/activate
 
 echo "[INSTALL] 🚀 Starting app - navigate to your <server IP>:${PORT}"

install/production-filesystem/build/init-cron.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "Initializing cron..."
+ # Placeholder for cron initialization commands
+echo "cron initialized."

install/production-filesystem/build/init-crond.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-echo "Initializing crond..."
-#Future crond initializations can go here.
-echo "crond initialized."

install/production-filesystem/build/init-nginx.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 echo "Initializing nginx..."
-install -d -o netalertx -g netalertx -m 700 ${SYSTEM_SERVICES_RUN_TMP}/client_body;
+install -d -o netalertx -g netalertx -m 700 "${SYSTEM_SERVICES_RUN_TMP}/client_body";
 echo "nginx initialized."

install/production-filesystem/entrypoint.d/0-storage-permission.sh

@@ -51,12 +51,13 @@ if [ "$(id -u)" -eq 0 ]; then
 EOF
     >&2 printf "%s" "${RESET}"
 
-    # Set ownership to netalertx user for all read-write paths
-    chown -R netalertx ${READ_WRITE_PATHS} 2>/dev/null || true
-
-    # Set directory and file permissions for all read-write paths
-    find ${READ_WRITE_PATHS} -type d -exec chmod u+rwx {} \;
-    find ${READ_WRITE_PATHS} -type f -exec chmod u+rw {} \;
+    # Set ownership and permissions for each read-write path individually
+    printf '%s\n' "${READ_WRITE_PATHS}" | while IFS= read -r path; do
+        [ -n "${path}" ] || continue
+        chown -R netalertx "${path}" 2>/dev/null || true
+        find "${path}" -type d -exec chmod u+rwx {} \;
+        find "${path}" -type f -exec chmod u+rw {} \;
+    done
     echo Permissions fixed for read-write paths. Please restart the container as user 20211.
     sleep infinity & wait $!
 fi

install/production-filesystem/entrypoint.d/01-data-migration.sh

@@ -16,11 +16,11 @@ LEGACY_DB=/app/db
 MARKER_NAME=.migration
 
 is_mounted() {
-    local path="$1"
-    if [ ! -d "${path}" ]; then
+    my_path="$1"
+    if [ ! -d "${my_path}" ]; then
         return 1
     fi
-    mountpoint -q "${path}" 2>/dev/null
+    mountpoint -q "${my_path}" 2>/dev/null
 }
 
 warn_unmount_legacy() {

install/production-filesystem/entrypoint.d/15-first-run-config.sh

@@ -2,7 +2,7 @@
 # first-run-check.sh - Checks and initializes configuration files on first run
 
 # Check for app.conf and deploy if required
-if [ ! -f ${NETALERTX_CONFIG}/app.conf ]; then
+if [ ! -f "${NETALERTX_CONFIG}/app.conf" ]; then
     mkdir -p "${NETALERTX_CONFIG}" || {
         >&2 echo "ERROR: Failed to create config directory ${NETALERTX_CONFIG}"
         exit 1

install/production-filesystem/entrypoint.d/20-first-run-db.sh

@@ -441,7 +441,9 @@ CREATE TRIGGER "trg_delete_devices"
             END;
 end-of-database-schema
 
-if [ $? -ne 0 ]; then
+database_creation_status=$?
+
+if [ $database_creation_status -ne 0 ]; then
   RED=$(printf '\033[1;31m')
   RESET=$(printf '\033[0m')
   >&2 printf "%s" "${RED}"

install/production-filesystem/entrypoint.sh

@@ -50,7 +50,7 @@ fi
 RED='\033[1;31m'
 GREY='\033[90m'
 RESET='\033[0m'
-printf "${RED}"
+printf "%s" "${RED}"
 echo '
  _   _      _    ___  _           _  __   __
 | \ | |    | |  / _ \| |         | | \ \ / /
@@ -60,7 +60,7 @@ echo '
 \_| \_/\___|\__\_| |_/_|\___|_|   \__\/   \/
 '
 
-printf "\033[0m"
+printf "%s" "${RESET}"
 echo '   Network intruder and presence detector. 
    https://netalertx.com
 
@@ -69,7 +69,7 @@ set -u
 
 FAILED_STATUS=""
 echo "Startup pre-checks"
-for script in ${ENTRYPOINT_CHECKS}/*; do
+for script in "${ENTRYPOINT_CHECKS}"/*; do
     if [ -n "${SKIP_TESTS:-}" ]; then
         echo "Skipping startup checks as SKIP_TESTS is set."
         break
@@ -77,7 +77,7 @@ for script in ${ENTRYPOINT_CHECKS}/*; do
     script_name=$(basename "$script" | sed 's/^[0-9]*-//;s/\.(sh|py)$//;s/-/ /g')
     echo "--> ${script_name} "
 	if [ -n "${SKIP_STARTUP_CHECKS:-}" ] && echo "${SKIP_STARTUP_CHECKS}" | grep -q "\b${script_name}\b"; then
-		printf "${GREY}skip${RESET}\n"
+    printf "%sskip%s\n" "${GREY}" "${RESET}"
 		continue
 	fi
 
@@ -134,7 +134,7 @@ fi
 
 # Update vendor data (MAC address OUI database) in the background
 # This happens concurrently with service startup to avoid blocking container readiness
-bash ${SYSTEM_SERVICES_SCRIPTS}/update_vendors.sh &
+bash "${SYSTEM_SERVICES_SCRIPTS}/update_vendors.sh" &
 
 
 
@@ -274,7 +274,7 @@ trap on_signal INT TERM
 # Only start crond scheduler on Alpine (non-Debian) environments
 # Debian typically uses systemd or other schedulers
 if [ "${ENVIRONMENT:-}" ] && [ "${ENVIRONMENT:-}" != "debian" ]; then
-    add_service "/services/start-crond.sh" "crond"
+    add_service "/services/start-cron.sh" "supercronic"
 fi
 
 # Start core frontend and backend services
@@ -290,8 +290,6 @@ add_service "${SYSTEM_SERVICES}/start-backend.sh" "python3"
 # Useful for devcontainer debugging where individual services need to be debugged
 if [ "${NETALERTX_DEBUG:-0}" -eq 1 ]; then
 	echo "NETALERTX_DEBUG is set to 1, will not shut down other services if one fails."
-	wait
-	exit $?
 fi
 
 ################################################################################
@@ -316,10 +314,25 @@ while [ -n "${SERVICES}" ]; do
         if ! is_pid_active "${pid}"; then
             wait "${pid}" 2>/dev/null
             status=$?
+
+            # Handle intentional backend restart
+            if [ "${name}" = "python3" ] && [ -f "/tmp/backend_restart_pending" ]; then
+                echo "🔄 Backend restart requested via marker file."
+                rm -f "/tmp/backend_restart_pending"
+                remove_service "${pid}"
+                add_service "${SYSTEM_SERVICES}/start-backend.sh" "python3"
+                continue
+            fi
+
             FAILED_STATUS=$status
             FAILED_NAME="${name}"
             remove_service "${pid}"
-            handle_exit
+            
+            if [ "${NETALERTX_DEBUG:-0}" -eq 1 ]; then
+                echo "⚠️ Service ${name} exited with status ${status}. Debug mode active - continuing."
+            else
+                handle_exit
+            fi
         fi
 
     done

install/production-filesystem/services/config/cron/crontab

@@ -1,4 +1,4 @@
 # Every minute check for cron jobs
 * * * * * /services/scripts/cron_script.sh
 # Update vendors 4x/d
-0 */6 * * * /services/scripts/update_vendors.sh
+0 */6 * * * /services/scripts/update_vendors.sh

install/production-filesystem/services/healthcheck.sh

@@ -21,10 +21,10 @@ log_success() {
 }
 
 # 1. Check if crond is running
-if pgrep -f "crond" > /dev/null; then
-    log_success "crond is running"
+if pgrep -f "supercronic" > /dev/null; then
+    log_success "supercronic is running"
 else
-    log_error "crond is not running"
+    log_error "supercronic is not running"
 fi
 
 # 2. Check if php-fpm is running

install/production-filesystem/services/scripts/cron_script.sh

@@ -5,12 +5,15 @@ export INSTALL_DIR=/app
 
 # Check if there are any entries with cron_restart_backend
 if grep -q "cron_restart_backend" "${LOG_EXECUTION_QUEUE}"; then
-  killall python3
-  sleep 2
-  /services/start-backend.sh &
+  echo "$(date): Restarting backend triggered by cron_restart_backend"
+  
+  # Create marker for entrypoint.sh to restart the service instead of killing the container
+  touch /tmp/backend_restart_pending
+  
+  killall python3 || echo "killall python3 failed or no process found"
 
   # Remove all lines containing cron_restart_backend from the log file
   # Atomic replacement with temp file
-  grep -v "cron_restart_backend" "${LOG_EXECUTION_QUEUE}" > "${LOG_EXECUTION_QUEUE}.tmp" && \
-    mv "${LOG_EXECUTION_QUEUE}.tmp" "${LOG_EXECUTION_QUEUE}"
+  grep -v "cron_restart_backend" "${LOG_EXECUTION_QUEUE}" > "${LOG_EXECUTION_QUEUE}.tmp"
+  mv "${LOG_EXECUTION_QUEUE}.tmp" "${LOG_EXECUTION_QUEUE}"
 fi

install/production-filesystem/services/start-backend.sh

@@ -3,7 +3,7 @@
 cd "${NETALERTX_APP}" || exit 1
 max_attempts=50  # 10 seconds total (50 * 0.2s)
 attempt=0
-while ps ax | grep -v grep | grep -q python3 && [ $attempt -lt $max_attempts ]; do
+while pgrep -x python3 >/dev/null && [ $attempt -lt $max_attempts ]; do
 	killall -TERM python3 &>/dev/null
 	sleep 0.2
 	((attempt++))
@@ -12,4 +12,5 @@ done
 killall -KILL python3 &>/dev/null
 
 echo "Starting python3 $(cat /services/config/python/backend-extra-launch-parameters 2>/dev/null) -m server > ${NETALERTX_LOG}/stdout.log 2> >(tee ${NETALERTX_LOG}/stderr.log >&2)"
-exec python3 $(cat /services/config/python/backend-extra-launch-parameters 2>/dev/null) -m server > ${NETALERTX_LOG}/stdout.log 2> >(tee ${NETALERTX_LOG}/stderr.log >&2)
+read -ra EXTRA_PARAMS < <(cat /services/config/python/backend-extra-launch-parameters 2>/dev/null)
+exec python3 "${EXTRA_PARAMS[@]}" -m server > "${NETALERTX_LOG}/stdout.log" 2> >(tee "${NETALERTX_LOG}/stderr.log" >&2)

install/production-filesystem/services/start-cron.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+set -euo pipefail
+
+
+crond_pid=""
+
+# Called externally, but shellcheck does not see that and claims it is unused.
+# shellcheck disable=SC2329,SC2317
+cleanup() {
+	status=$?
+	echo "Supercronic stopped! (exit ${status})"
+}
+
+# Called externally, but shellcheck does not see that and claims it is unused.
+# shellcheck disable=SC2329,SC2317
+forward_signal() {
+	if [[ -n "${crond_pid}" ]]; then
+		kill -TERM "${crond_pid}" 2>/dev/null || true
+	fi
+}
+
+while pgrep -x crond >/dev/null 2>&1; do
+	killall crond &>/dev/null
+	sleep 0.2
+done
+
+trap cleanup EXIT
+trap forward_signal INT TERM
+
+CRON_OPTS="--quiet"
+if [ "${NETALERTX_DEBUG:-0}" -eq 1 ]; then
+  CRON_OPTS="--debug"
+fi
+
+echo "Starting supercronic ${CRON_OPTS} \"${SYSTEM_SERVICES_CONFIG_CRON}/crontab\" >>\"${LOG_CRON}\" 2>&1 &"
+
+supercronic ${CRON_OPTS} "${SYSTEM_SERVICES_CONFIG_CRON}/crontab" >>"${LOG_CRON}" 2>&1 &
+crond_pid=$!
+
+wait "${crond_pid}"; status=$?
+echo -ne " done"
+exit ${status}

install/production-filesystem/services/start-crond.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-
-crond_pid=""
-
-cleanup() {
-	status=$?
-	echo "Crond stopped! (exit ${status})"
-}
-
-forward_signal() {
-	if [[ -n "${crond_pid}" ]]; then
-		kill -TERM "${crond_pid}" 2>/dev/null || true
-	fi
-}
-
-while ps ax | grep -v -e grep -e '.sh' | grep crond >/dev/null 2>&1; do
-	killall crond &>/dev/null
-	sleep 0.2
-done
-
-trap cleanup EXIT
-trap forward_signal INT TERM
-
-echo "Starting /usr/sbin/crond -c \"${SYSTEM_SERVICES_CROND}\" -f -L \"${LOG_CROND}\" >>\"${LOG_CROND}\" 2>&1 &"
-
-/usr/sbin/crond -c "${SYSTEM_SERVICES_CROND}" -f -L "${LOG_CROND}" >>"${LOG_CROND}" 2>&1 &
-crond_pid=$!
-
-wait "${crond_pid}"; status=$?
-echo -ne " done"
-exit ${status}

install/production-filesystem/services/start-nginx.sh

@@ -11,11 +11,15 @@ mkdir -p "${LOG_DIR}" "${RUN_DIR}" "${TMP_DIR}"
 
 nginx_pid=""
 
+# Called externally, but shellcheck does not see that and claims it is unused.
+# shellcheck disable=SC2329,SC2317
 cleanup() {
 	status=$?
 	echo "nginx stopped! (exit ${status})"
 }
 
+# Called externally, but shellcheck does not see that and claims it is unused.
+# shellcheck disable=SC2329,SC2317
 forward_signal() {
 	if [[ -n "${nginx_pid}" ]]; then
 		kill -TERM "${nginx_pid}" 2>/dev/null || true
@@ -24,12 +28,15 @@ forward_signal() {
 
 
 # When in devcontainer we must kill any existing nginx processes
-while ps ax | grep -v -e "grep" -e "nginx.sh" | grep nginx >/dev/null 2>&1; do
+while pgrep -x nginx >/dev/null 2>&1; do
 	killall nginx &>/dev/null || true
 	sleep 0.2
 done
 
 TEMP_CONFIG_FILE=$(mktemp "${TMP_DIR}/netalertx.conf.XXXXXX")
+
+# Shell check doesn't recognize envsubst variables
+# shellcheck disable=SC2016
 if envsubst '${LISTEN_ADDR} ${PORT}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
 	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_SERVICES_ACTIVE_CONFIG_FILE}"
 else

install/production-filesystem/services/start-php-fpm.sh

@@ -3,18 +3,22 @@ set -euo pipefail
 
 php_fpm_pid=""
 
+# Called externally, but shellcheck does not see that and claims it is unused.
+# shellcheck disable=SC2329,SC2317
 cleanup() {
 	status=$?
 	echo "php-fpm stopped! (exit ${status})"
 }
 
+# Called externally, but shellcheck does not see that and claims it is unused.
+# shellcheck disable=SC2329,SC2317
 forward_signal() {
 	if [[ -n "${php_fpm_pid}" ]]; then
 		kill -TERM "${php_fpm_pid}" 2>/dev/null || true
 	fi
 }
 
-while ps ax | grep -v grep | grep php-fpm83 >/dev/null; do
+while pgrep -x php-fpm83 >/dev/null; do
 	killall php-fpm83 &>/dev/null
 	sleep 0.2
 done
@@ -27,5 +31,6 @@ echo "Starting /usr/sbin/php-fpm83 -y \"${PHP_FPM_CONFIG_FILE}\" -F >>\"${LOG_AP
 php_fpm_pid=$!
 
 wait "${php_fpm_pid}"
+exit_status=$?
 echo -ne " done"
-exit $?
+exit $exit_status

install/proxmox/proxmox-install-netalertx.sh

@@ -127,6 +127,8 @@ apt-get install -y --no-install-recommends \
     ca-certificates lsb-release curl gnupg
 
 # Detect OS
+# Shell check doesn't recognize source command because it's not in the repo, it is in the system at runtime
+# shellcheck disable=SC1091
 . /etc/os-release
 OS_ID="${ID:-}"
 OS_VER="${VERSION_ID:-}"
@@ -203,6 +205,8 @@ printf "%b\n" "-----------------------------------------------------------------
 printf "%b\n" "${GREEN}[INSTALLING]                          ${RESET}Setting up Python environment"
 printf "%b\n" "--------------------------------------------------------------------------"
 python3 -m venv /opt/myenv
+# Shell check doesn't recognize source command because it's not in the repo, it is in the system at runtime
+# shellcheck disable=SC1091
 source /opt/myenv/bin/activate
 python -m pip install --upgrade pip
 python -m pip install -r "${INSTALLER_DIR}/requirements.txt"

install/ubuntu24/install.sh

@@ -22,7 +22,6 @@ NGINX_CONF_FILE=netalertx.conf
 WEB_UI_DIR=/var/www/html/netalertx
 NGINX_CONFIG_FILE=/etc/nginx/conf.d/$NGINX_CONF_FILE
 OUI_FILE="/usr/share/arp-scan/ieee-oui.txt" # Define the path to ieee-oui.txt and ieee-iab.txt
-SCRIPT_DIR="$(cd -- "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 FILEDB=${INSTALL_DIR}/db/${DB_FILE}
 PHPVERSION="8.3"
 VENV_DIR="/opt/netalertx-python"
@@ -106,7 +105,7 @@ if [ -d "${INSTALL_DIR}" ]; then
   if [ "$1" == "install" ] || [ "$1" == "update" ] || [ "$1" == "start" ]; then
     confirmation=$1
   else
-    read -p "Enter your choice: " confirmation
+    read -rp "Enter your choice: " confirmation
   fi
   if [ "$confirmation" == "install" ]; then
     # Ensure INSTALL_DIR is safe to wipe
@@ -118,7 +117,7 @@ if [ -d "${INSTALL_DIR}" ]; then
       mountpoint -q "${INSTALL_DIR}/front" && umount "${INSTALL_DIR}/front" 2>/dev/null
 
       # Remove all contents safely
-      rm -rf -- "${INSTALL_DIR}"/* "${INSTALL_DIR}"/.[!.]* "${INSTALL_DIR}"/..?* 2>/dev/null
+      rm -rf -- "${INSTALL_DIR:?}"/* "${INSTALL_DIR}"/.[!.]* "${INSTALL_DIR}"/..?* 2>/dev/null
 
       # Re-clone repository
       git clone "${GITHUB_REPO}" "${INSTALL_DIR}/"
@@ -152,6 +151,8 @@ echo "---------------------------------------------------------"
 echo
 # update-alternatives --install /usr/bin/python python /usr/bin/python3 10
 python3 -m venv "${VENV_DIR}"
+# Shell check doesn't recognize source command because it's not in the repo, it is in the system at runtime
+# shellcheck disable=SC1091
 source "${VENV_DIR}/bin/activate"
 
 if [[ ! -f "${REQUIREMENTS_FILE}" ]]; then

scripts/db_cleanup/regenerate-database.sh

@@ -4,10 +4,10 @@
 NETALERTX_DB_FILE=${NETALERTX_DB:-/data/db}/app.db
 
 #remove the old database
-rm ${NETALERTX_DB_FILE}
+rm "${NETALERTX_DB_FILE}"
 
 # Write schema to text to app.db file until we see "end-of-database-schema"
-cat << end-of-database-schema > ${NETALERTX_DB_FILE}.sql
+cat << end-of-database-schema > "${NETALERTX_DB_FILE}.sql"
 CREATE TABLE sqlite_stat1(tbl,idx,stat);
 CREATE TABLE Events (eve_MAC STRING (50) NOT NULL COLLATE NOCASE, eve_IP STRING (50) NOT NULL COLLATE NOCASE, eve_DateTime DATETIME NOT NULL, eve_EventType STRING (30) NOT NULL COLLATE NOCASE, eve_AdditionalInfo STRING (250) DEFAULT (''), eve_PendingAlertEmail BOOLEAN NOT NULL CHECK (eve_PendingAlertEmail IN (0, 1)) DEFAULT (1), eve_PairEventRowid INTEGER);
 CREATE TABLE Sessions (ses_MAC STRING (50) COLLATE NOCASE, ses_IP STRING (50) COLLATE NOCASE, ses_EventTypeConnection STRING (30) COLLATE NOCASE, ses_DateTimeConnection DATETIME, ses_EventTypeDisconnection STRING (30) COLLATE NOCASE, ses_DateTimeDisconnection DATETIME, ses_StillConnected BOOLEAN, ses_AdditionalInfo STRING (250));
@@ -421,4 +421,4 @@ CREATE TRIGGER "trg_delete_devices"
 end-of-database-schema
 
 # Import the database schema into the new database file
-sqlite3 ${NETALERTX_DB_FILE} < ${NETALERTX_DB_FILE}.sql
+sqlite3 "${NETALERTX_DB_FILE}" < "${NETALERTX_DB_FILE}.sql"

scripts/list-ports.sh

@@ -16,4 +16,4 @@ for p in $PORTS; do
 done
 
 # Show any other NetAlertX-related listeners (nginx, php-fpm, python backend)
-ss -ltnp 2>/dev/null | egrep 'nginx|php-fpm|python' || true
+ss -ltnp 2>/dev/null | grep -e 'nginx\|php-fpm\|python' || true

test/docker_tests/configurations/test_all_docker_composes.sh

@@ -11,26 +11,29 @@ echo "==========================================" >> "$LOG_FILE"
 # Function to extract comments from docker-compose file
 extract_comments() {
     local file="$1"
-    echo "File: $(basename "$file")" >> "$LOG_FILE"
-    echo "----------------------------------------" >> "$LOG_FILE"
+	{
 
-    # Extract lines starting with # until we hit a non-comment line
-    awk '
-    /^#/ {
-        # Remove the # and any leading/trailing whitespace
-        comment = substr($0, 2)
-        sub(/^ */, "", comment)
-        sub(/ *$/, "", comment)
-        if (comment != "") {
-            print comment
-        }
-    }
-    /^[^#]/ && !/^$/ {
-        exit
-    }
-    ' "$file" >> "$LOG_FILE"
+		echo "File: $(basename "$file")"
+		echo "----------------------------------------"
 
-    echo "" >> "$LOG_FILE"
+		# Extract lines starting with # until we hit a non-comment line
+		awk '
+		/^#/ {
+			# Remove the # and any leading/trailing whitespace
+			comment = substr($0, 2)
+			sub(/^ */, "", comment)
+			sub(/ *$/, "", comment)
+			if (comment != "") {
+				print comment
+			}
+		}
+		/^[^#]/ && !/^$/ {
+			exit
+		}
+		' "$file"
+
+		echo "" 
+	} >> "$LOG_FILE"
 }
 
 # Function to run docker-compose test
@@ -40,16 +43,17 @@ run_test() {
     dirname=$(dirname "$file")
     local basename
     basename=$(basename "$file")
-
-    echo "Testing: $basename" >> "$LOG_FILE"
-    echo "Directory: $dirname" >> "$LOG_FILE"
-    echo "" >> "$LOG_FILE"
-    echo "Running docker-compose up..." >> "$LOG_FILE"
-    timeout 10s docker-compose -f "$file" up 2>&1 >> "$LOG_FILE"
-
+     {
+		echo "Testing: $basename"
+		echo "Directory: $dirname" 
+		echo ""
+		echo "Running docker-compose up..."
+		timeout 10s docker-compose -f "$file" up 2>&1 
+	 } >> "$LOG_FILE"
     # Clean up
     docker-compose -f "$file" down -v 2>/dev/null || true
     docker volume prune -f 2>/dev/null || true
+}
 
 find "$SCRIPT_DIR" -name "docker-compose*.yml" -type f -print0 | sort -z | while IFS= read -r -d '' file; do
     extract_comments "$file"

test/docker_tests/run_docker_tests.sh

@@ -57,7 +57,7 @@ for i in $(seq 1 $WAIT_SECONDS); do
         echo "--- Services are healthy! ---"
         break
     fi
-    if [ $i -eq $WAIT_SECONDS ]; then
+    if [ "$i" -eq "$WAIT_SECONDS" ]; then
         echo "--- Timeout: Services did not become healthy after $WAIT_SECONDS seconds. ---"
         docker logs netalertx-test-container
         exit 1

test/docker_tests/test_mount_diagnostics_pytest.py

@@ -271,7 +271,7 @@ def create_test_scenarios() -> List[TestScenario]:
             compose_file = f"docker-compose.mount-test.{path_name}_{scenario_name}.yml"
 
             # Determine expected exit code
-            expected_exit_code = 1 if scenario_name == "unwritable" else 0
+            expected_exit_code = 1 if expected_issues else 0
 
             scenarios.append(
                 TestScenario(