fix(docker): apk upgrade in production stage to clear inherited CVEs
frontend-ci / typecheck (push) Failing after 5s
frontend-ci / secrets-scan (push) Successful in 5s
frontend-ci / fs-scan (push) Successful in 11s
frontend-ci / sast (push) Successful in 13s
frontend-ci / lint (push) Successful in 15s
frontend-ci / build (push) Has been skipped
frontend-ci / push (push) Has been skipped
frontend-ci / typecheck (push) Failing after 5s
frontend-ci / secrets-scan (push) Successful in 5s
frontend-ci / fs-scan (push) Successful in 11s
frontend-ci / sast (push) Successful in 13s
frontend-ci / lint (push) Successful in 15s
frontend-ci / build (push) Has been skipped
frontend-ci / push (push) Has been skipped
Trivy's image scan flagged nghttp2-libs CVE-2026-27135 (HTTP/2 DoS), inherited from nginx:alpine. The fix exists in Alpine's repos (1.68.1) but the base image's pinned tag is still on 1.68.0-r0. Run `apk upgrade --no-cache` in the production stage to pull current security fixes from Alpine, then install gettext as before. This keeps us current with Alpine security patches independent of how fast the upstream nginx:alpine tag rebuilds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
+3
-1
@@ -19,7 +19,9 @@ RUN npm run build
|
||||
|
||||
# --- Production stage ---
|
||||
FROM nginx:alpine AS production
|
||||
RUN apk add --no-cache gettext
|
||||
# Pull current security fixes for OS packages inherited from the base image
|
||||
# (e.g. nghttp2-libs CVE-2026-27135), then install envsubst for runtime config.
|
||||
RUN apk upgrade --no-cache && apk add --no-cache gettext
|
||||
COPY --from=build /app/dist /usr/share/nginx/html
|
||||
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY docker/config.js.template /etc/nginx/templates/config.js.template
|
||||
|
||||
Reference in New Issue
Block a user