Skip to content

Commit 8c57c85

Browse files
AntoLCAntoLC
committed
🚑️(backend) fix CVEs in backend image
Use alpine version for production image instead of debian in order to have less CVEs.
1 parent a798870 commit 8c57c85

File tree

2 files changed

+23
-26
lines changed

2 files changed

+23
-26
lines changed

CHANGELOG.md

+4
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ and this project adheres to
99

1010
## [Unreleased]
1111

12+
## Added
13+
14+
- ✨(ci) add security scan #291
15+
1216
## Changed
1317

1418
- 💄(frontend) error alert closeable on editor #284

Dockerfile

+19-26
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,14 @@
11
# Django impress
22

33
# ---- base image to inherit from ----
4-
FROM python:3.10-slim-bullseye as base
4+
FROM python:3.12.6-alpine3.20 as base
55

66
# Upgrade pip to its latest release to speed up dependencies installation
7-
RUN python -m pip install --upgrade pip
7+
RUN python -m pip install --upgrade pip setuptools
88

99
# Upgrade system packages to install security updates
10-
RUN apt-get update && \
11-
apt-get -y upgrade && \
12-
rm -rf /var/lib/apt/lists/*
10+
RUN apk update && \
11+
apk upgrade
1312

1413
# ---- Back-end builder image ----
1514
FROM base as back-builder
@@ -38,12 +37,10 @@ RUN yarn install --frozen-lockfile && \
3837
FROM base as link-collector
3938
ARG IMPRESS_STATIC_ROOT=/data/static
4039

41-
# Install libpangocairo & rdfind
42-
RUN apt-get update && \
43-
apt-get install -y \
44-
libpangocairo-1.0-0 \
45-
rdfind && \
46-
rm -rf /var/lib/apt/lists/*
40+
# Install pango & rdfind
41+
RUN apk add \
42+
pango \
43+
rdfind
4744

4845
# Copy installed python dependencies
4946
COPY --from=back-builder /install /usr/local
@@ -67,18 +64,16 @@ FROM base as core
6764
ENV PYTHONUNBUFFERED=1
6865

6966
# Install required system libs
70-
RUN apt-get update && \
71-
apt-get install -y \
72-
gettext \
73-
libcairo2 \
74-
libffi-dev \
75-
libgdk-pixbuf2.0-0 \
76-
libpango-1.0-0 \
77-
libpangocairo-1.0-0 \
78-
pandoc \
79-
fonts-noto-color-emoji \
80-
shared-mime-info && \
81-
rm -rf /var/lib/apt/lists/*
67+
RUN apk add \
68+
gettext \
69+
cairo \
70+
libffi-dev \
71+
gdk-pixbuf \
72+
pango \
73+
pandoc \
74+
font-noto-emoji \
75+
font-noto \
76+
shared-mime-info
8277

8378
# Copy entrypoint
8479
COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
@@ -108,9 +103,7 @@ FROM core as backend-development
108103
USER root:root
109104

110105
# Install psql
111-
RUN apt-get update && \
112-
apt-get install -y postgresql-client && \
113-
rm -rf /var/lib/apt/lists/*
106+
RUN apk add postgresql-client
114107

115108
# Uninstall impress and re-install it in editable mode along with development
116109
# dependencies

0 commit comments

Comments
 (0)