From aff6300cbd8fa402063d1707bbbb0a6909166165 Mon Sep 17 00:00:00 2001 From: estebanthilliez Date: Fri, 24 Apr 2026 22:54:28 +0200 Subject: [PATCH] fix trivy release image --- .trivyignore | 5 +++++ Dockerfile | 52 +++++++++++++++++++++++++++----------------- docker-entrypoint.sh | 2 +- 3 files changed, 38 insertions(+), 21 deletions(-) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..bda1984 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,5 @@ +# Chrome on Debian 12 currently pulls these runtime libraries without distro fixes available. +# Keep these temporary and remove them once Debian or Google Chrome ships patched packages. +CVE-2023-45853 +CVE-2025-7458 +CVE-2026-40393 diff --git a/Dockerfile b/Dockerfile index 952e785..23363ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,43 +1,55 @@ -FROM node:20.12.2-slim +FROM node:20.19.5-bookworm-slim AS deps + +WORKDIR /app + +COPY package.json pnpm-lock.yaml ./ + +RUN node -e "const fs = require('fs'); const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); pkg.pnpm = pkg.pnpm || {}; pkg.pnpm.overrides = { ...(pkg.pnpm.overrides || {}), 'basic-ftp': '5.3.0', 'path-to-regexp': '8.4.0', 'qs': '6.14.2' }; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');" \ + && corepack enable \ + && corepack prepare pnpm@10.33.2 --activate \ + && pnpm install --no-frozen-lockfile --prod \ + && pnpm store prune + +FROM node:20.19.5-bookworm-slim ENV NODE_ENV=production -# Install Chrome and dependencies -RUN apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates wget gnupg xvfb fonts-liberation \ +RUN savedAptMark="$(apt-mark showmanual)" \ + && apt-get update \ + && apt-get upgrade -y \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + fonts-liberation \ + gnupg \ + wget \ + xvfb \ && wget -qO- https://dl.google.com/linux/linux_signing_key.pub \ | gpg --dearmor -o /usr/share/keyrings/google-linux-signing-keyring.gpg \ && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-linux-signing-keyring.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \ > /etc/apt/sources.list.d/google-chrome.list \ && apt-get update \ && apt-get install -y --no-install-recommends google-chrome-stable \ - && apt-get purge -y --auto-remove wget gnupg \ + && [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark \ + && apt-mark manual ca-certificates fonts-liberation google-chrome-stable xvfb \ + && rm -f /etc/apt/sources.list.d/google-chrome.list /usr/share/keyrings/google-linux-signing-keyring.gpg \ && rm -rf /var/lib/apt/lists/* -RUN corepack enable - -# Create a non-root user for running the app RUN useradd --create-home --home-dir /app --shell /bin/sh appuser -# Set working directory WORKDIR /app -# Entrypoint script COPY docker-entrypoint.sh /usr/local/bin/ RUN chmod 755 /usr/local/bin/docker-entrypoint.sh -# Copy and install dependencies -COPY --chown=appuser:appuser package.json pnpm-lock.yaml ./ -USER appuser -RUN corepack prepare pnpm@9.0.0 --activate \ - && pnpm install --frozen-lockfile --prod \ - && pnpm store prune - -# Copy app code +COPY --from=deps --chown=appuser:appuser /app/node_modules ./node_modules +COPY --chown=appuser:appuser package.json ./ COPY --chown=appuser:appuser . . -# Expose port (match your app's port) +RUN rm -rf /usr/local/lib/node_modules/npm \ + && rm -f /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack + +USER appuser + EXPOSE 10000 -# Start Xvfb and run the bot CMD ["/usr/local/bin/docker-entrypoint.sh"] diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 00af8e6..56eb080 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -6,7 +6,7 @@ xvfb_pid=$! export DISPLAY=:99 -npm start & +node index.js & app_pid=$! term_handler() {