From a6bafa856257c0b40c98f0847751aee1a24eff07 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 16 Nov 2025 14:31:41 +0000 Subject: [PATCH] Fix Trivy security vulnerabilities in all Dockerfiles Added apk update && apk upgrade --no-cache to all Alpine-based Docker images to ensure all system packages are upgraded to their latest versions with security patches. This addresses CRITICAL and HIGH severity vulnerabilities detected by Trivy scans in the CI/CD pipeline. Changes: - backend/Dockerfile: Added package upgrades in both builder and production stages - backend/Dockerfile.minimal: Added package upgrade for CI/CD builds - frontend/Dockerfile: Added package upgrades in both builder and production stages - frontend/Dockerfile.minimal: Added package upgrades in both stages - nginx/Dockerfile: Added package upgrade to NGINX WAF image This ensures defense-in-depth security by keeping base images current with the latest security patches while maintaining the existing multi-layer security architecture (WAF, OPA, Falco, application security). --- backend/Dockerfile | 6 ++++++ backend/Dockerfile.minimal | 3 +++ frontend/Dockerfile | 6 ++++++ frontend/Dockerfile.minimal | 6 ++++++ nginx/Dockerfile | 5 ++++- 5 files changed, 25 insertions(+), 1 deletion(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index fca2e6e..ce35091 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -3,6 +3,9 @@ FROM node:20-alpine AS builder WORKDIR /app +# Upgrade all packages to latest security patches +RUN apk update && apk upgrade --no-cache + # Install dependencies COPY package*.json ./ RUN if [ -f package-lock.json ]; then npm ci --only=production; else npm install --production; fi @@ -13,6 +16,9 @@ COPY . . # Production stage FROM node:20-alpine +# Upgrade all packages to latest security patches +RUN apk update && apk upgrade --no-cache + # Add security: Run as non-root user RUN addgroup -g 1001 -S nodejs && \ adduser -S nodejs -u 1001 diff --git a/backend/Dockerfile.minimal b/backend/Dockerfile.minimal index b7d3ffd..1e84852 100644 --- a/backend/Dockerfile.minimal +++ b/backend/Dockerfile.minimal @@ -2,6 +2,9 @@ # This ensures the pipeline can build even without full application code FROM node:20-alpine +# Upgrade all packages to latest security patches +RUN apk update && apk upgrade --no-cache + WORKDIR /app # Create minimal package.json if it doesn't exist diff --git a/frontend/Dockerfile b/frontend/Dockerfile index f5d5863..6a094fd 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -3,6 +3,9 @@ FROM node:20-alpine AS builder WORKDIR /app +# Upgrade all packages to latest security patches +RUN apk update && apk upgrade --no-cache + # Install dependencies RUN apk add --no-cache \ python3 \ @@ -21,6 +24,9 @@ RUN npm run build # Production stage - Nginx Alpine for serving static files FROM nginx:alpine +# Upgrade all packages to latest security patches +RUN apk update && apk upgrade --no-cache + # Add security: Remove default nginx user and add custom user RUN addgroup -g 1001 -S frontend && \ adduser -S frontend -u 1001 diff --git a/frontend/Dockerfile.minimal b/frontend/Dockerfile.minimal index d33814f..7341131 100644 --- a/frontend/Dockerfile.minimal +++ b/frontend/Dockerfile.minimal @@ -2,6 +2,9 @@ # This ensures the pipeline can build even without full application code FROM node:20-alpine AS builder +# Upgrade all packages to latest security patches +RUN apk update && apk upgrade --no-cache + WORKDIR /app # Create minimal package.json if it doesn't exist @@ -30,6 +33,9 @@ RUN npm run build || (mkdir -p dist && echo 'BBF Fron # Production stage FROM nginx:alpine +# Upgrade all packages to latest security patches +RUN apk update && apk upgrade --no-cache + # Security: Add non-root user RUN addgroup -g 1001 -S frontend && \ adduser -S frontend -u 1001 diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 0111561..ba1795f 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,7 +1,10 @@ FROM owasp/modsecurity-crs:nginx-alpine -# Remove default templates to prevent entrypoint from overwriting our custom configs +# Upgrade all packages to latest security patches USER root +RUN apk update && apk upgrade --no-cache + +# Remove default templates to prevent entrypoint from overwriting our custom configs RUN rm -rf /etc/nginx/templates/*