Some checks failed
deploy / deploy (push) Has been cancelled
- Dockerfile: npm audit HIGH/CRITICAL warning-only после npm ci/install - CI (для тех у кого ещё не было): Trivy scan собранного образа HIGH/CRITICAL severity, --ignore-unfixed, --exit-code 0 (warning-only) Часть multi-layer security plan: Layer A (минимум), B (Nuclei DAST weekly cron) и C (GitLeaks + Semgrep + Hadolint) — отдельными задачами в Singularity. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
27 lines
975 B
Docker
27 lines
975 B
Docker
# syntax=docker/dockerfile:1
|
|
|
|
# ─── Stage 1: build static site (Astro SSG) ────────────────────────────────
|
|
FROM node:22-alpine AS build
|
|
WORKDIR /app
|
|
|
|
COPY package.json package-lock.json* ./
|
|
RUN npm install --no-audit --no-fund
|
|
|
|
# Security: npm audit для HIGH/CRITICAL CVE в зависимостях (warning-only).
|
|
RUN npm audit --audit-level=high --omit=dev 2>&1 | tee /tmp/npm-audit.log || true
|
|
|
|
COPY . .
|
|
RUN npm run build
|
|
|
|
# ─── Stage 2: nginx runtime ─────────────────────────────────────────────────
|
|
FROM nginx:1.29-alpine
|
|
|
|
RUN rm -rf /usr/share/nginx/html/*
|
|
COPY --from=build /app/dist /usr/share/nginx/html
|
|
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
|
|
|
EXPOSE 80
|
|
|
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
|
|
CMD wget -q --spider http://127.0.0.1/ || exit 1
|