Skip to content
This repository was archived by the owner on Feb 8, 2026. It is now read-only.

Fix backend Trivy security check failures #41

Merged
r-thak merged 1 commit into from
Nov 16, 2025
Merged

Fix backend Trivy security check failures #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions backend/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ FROM node:20-alpine AS builder

WORKDIR /app

# Upgrade all packages to latest security patches
RUN apk update && apk upgrade --no-cache

# Install dependencies
COPY package*.json ./
RUN if [ -f package-lock.json ]; then npm ci --only=production; else npm install --production; fi
Expand All @@ -13,6 +16,9 @@ COPY . .
# Production stage
FROM node:20-alpine

# Upgrade all packages to latest security patches
RUN apk update && apk upgrade --no-cache

# Add security: Run as non-root user
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
Expand Down
3 changes: 3 additions & 0 deletions backend/Dockerfile.minimal
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
# This ensures the pipeline can build even without full application code
FROM node:20-alpine

# Upgrade all packages to latest security patches
RUN apk update && apk upgrade --no-cache

WORKDIR /app

# Create minimal package.json if it doesn't exist
Expand Down
6 changes: 6 additions & 0 deletions frontend/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ FROM node:20-alpine AS builder

WORKDIR /app

# Upgrade all packages to latest security patches
RUN apk update && apk upgrade --no-cache

# Install dependencies
RUN apk add --no-cache \
python3 \
Expand All @@ -21,6 +24,9 @@ RUN npm run build
# Production stage - Nginx Alpine for serving static files
FROM nginx:alpine

# Upgrade all packages to latest security patches
RUN apk update && apk upgrade --no-cache

# Add security: Remove default nginx user and add custom user
RUN addgroup -g 1001 -S frontend && \
adduser -S frontend -u 1001
Expand Down
6 changes: 6 additions & 0 deletions frontend/Dockerfile.minimal
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
# This ensures the pipeline can build even without full application code
FROM node:20-alpine AS builder

# Upgrade all packages to latest security patches
RUN apk update && apk upgrade --no-cache

WORKDIR /app

# Create minimal package.json if it doesn't exist
Expand Down Expand Up @@ -30,6 +33,9 @@ RUN npm run build || (mkdir -p dist && echo '<!DOCTYPE html><html><body>BBF Fron
# Production stage
FROM nginx:alpine

# Upgrade all packages to latest security patches
RUN apk update && apk upgrade --no-cache

# Security: Add non-root user
RUN addgroup -g 1001 -S frontend && \
adduser -S frontend -u 1001
Expand Down
5 changes: 4 additions & 1 deletion nginx/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
FROM owasp/modsecurity-crs:nginx-alpine

# Remove default templates to prevent entrypoint from overwriting our custom configs
# Upgrade all packages to latest security patches
USER root
RUN apk update && apk upgrade --no-cache

# Remove default templates to prevent entrypoint from overwriting our custom configs
RUN rm -rf /etc/nginx/templates/*


Expand Down
Loading