Files
pitstopavto-su-v2/Dockerfile
Dmitry Gusev e87e6e0066
Some checks failed
deploy / deploy (push) Has been cancelled
feat(security): Trivy в CI + npm audit в Dockerfile (Layer A)
- Dockerfile: npm audit HIGH/CRITICAL warning-only после npm ci/install
- CI (для тех у кого ещё не было): Trivy scan собранного образа
  HIGH/CRITICAL severity, --ignore-unfixed, --exit-code 0 (warning-only)

Часть multi-layer security plan: Layer A (минимум), B (Nuclei DAST weekly cron)
и C (GitLeaks + Semgrep + Hadolint) — отдельными задачами в Singularity.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 16:47:11 +03:00

27 lines
975 B
Docker

# syntax=docker/dockerfile:1
# ─── Stage 1: build static site (Astro SSG) ────────────────────────────────
FROM node:22-alpine AS build
WORKDIR /app
COPY package.json package-lock.json* ./
RUN npm install --no-audit --no-fund
# Security: npm audit для HIGH/CRITICAL CVE в зависимостях (warning-only).
RUN npm audit --audit-level=high --omit=dev 2>&1 | tee /tmp/npm-audit.log || true
COPY . .
RUN npm run build
# ─── Stage 2: nginx runtime ─────────────────────────────────────────────────
FROM nginx:1.29-alpine
RUN rm -rf /usr/share/nginx/html/*
COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
CMD wget -q --spider http://127.0.0.1/ || exit 1