danieldaum.net / kaneo
kaneo (minimalist kanban) fork to experiment adding a tangled integration github.com/usekaneo/kaneo
fork atom
kaneo / apps / web / Dockerfile
at main 66 lines 2.2 kB view raw
snyk-bot fix: apps/web/Dockerfile to reduce vulnerabilities
c1b57312
1# Build stage 2FROM --platform=$BUILDPLATFORM node:20-alpine AS builder 3 4# Install build dependencies in a single layer 5RUN apk add --no-cache python3 make g++ && \ 6 corepack enable && \ 7 corepack prepare pnpm@10.7.0 --activate 8 9WORKDIR /app 10 11# Copy package files first for better layer caching 12COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./ 13COPY apps/web/package.json ./apps/web/ 14COPY packages/typescript-config/package.json ./packages/typescript-config/ 15COPY packages/libs/package.json ./packages/libs/ 16 17# Install dependencies 18RUN pnpm install --frozen-lockfile 19 20# Copy only necessary source code 21COPY packages/typescript-config ./packages/typescript-config 22COPY packages/libs ./packages/libs 23COPY apps/web ./apps/web 24 25# Build the application 26WORKDIR /app/apps/web 27RUN pnpm run build 28 29# Production stage with specific version 30FROM nginx:1.29.5-alpine AS runtime 31 32# Create non-root user and configure nginx in a single layer 33RUN addgroup -g 1001 appuser && \ 34 adduser -u 1001 -G appuser -D appuser && \ 35 # Set permissions for nginx directories 36 chown -R appuser:appuser /var/cache/nginx && \ 37 chmod -R 755 /var/cache/nginx && \ 38 # Create directory for pid file 39 mkdir -p /var/run/nginx && \ 40 chown -R appuser:appuser /var/run/nginx && \ 41 chmod -R 755 /var/run/nginx && \ 42 # Set permissions for nginx pid file 43 touch /var/run/nginx.pid && \ 44 chown appuser:appuser /var/run/nginx.pid && \ 45 chmod 644 /var/run/nginx.pid && \ 46 # Update nginx configuration to run as non-root 47 sed -i 's/user nginx;/user appuser;/' /etc/nginx/nginx.conf && \ 48 # Remove the user directive completely to avoid warnings 49 sed -i 's/user appuser;//' /etc/nginx/nginx.conf 50 51# Copy built files from builder stage 52COPY --from=builder --chown=appuser:appuser /app/apps/web/dist /usr/share/nginx/html 53 54# Copy nginx configuration 55COPY --chown=appuser:appuser apps/web/nginx.conf /etc/nginx/conf.d/default.conf 56 57# Copy and set permissions for environment script 58COPY --chown=appuser:appuser apps/web/env.sh /docker-entrypoint.d/env.sh 59RUN chmod +x /docker-entrypoint.d/env.sh 60 61# Switch to non-root user 62USER appuser 63EXPOSE 5173 64 65# Use exec form of CMD for proper signal handling 66CMD ["nginx", "-g", "daemon off;"]