fix(docker): apply security updates in runtime stage to clear CVE gate
The pinned Debian snapshot shipped libgnutls30 3.7.9-2+deb12u6, which Trivy flagged for 5 fixed HIGH/CRITICAL CVEs (deb12u7 available), blocking the publish gate. Add apt-get upgrade to the runtime stage so security fixes land without chasing a newer base snapshot on every advisory. Verified locally: Trivy HIGH/CRITICAL fixed-only scan reports 0 findings.
This commit is contained in:
Christopher Fahlin
@@ -57,7 +57,12 @@ RUN mix release
|
||||
# ---- runtime stage ----
|
||||
FROM ${RUNNER_IMAGE}
|
||||
|
||||
# Apply outstanding security updates on top of the pinned snapshot, then install
|
||||
# only the libs the BEAM needs. `upgrade` keeps us current on CVE fixes (e.g.
|
||||
# libgnutls30 security patches) without chasing a newer base snapshot on every
|
||||
# advisory; the pinned snapshot still gives a reproducible starting point.
|
||||
RUN apt-get update -y \
|
||||
&& apt-get upgrade -y \
|
||||
&& apt-get install -y --no-install-recommends \
|
||||
libstdc++6 openssl libncurses6 locales ca-certificates \
|
||||
&& apt-get clean && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
Reference in New Issue
Block a user