mirror of
https://github.com/status-im/spiff-arena.git
synced 2025-01-10 18:25:42 +00:00
fe4dc14b8d
* updated Dockerfile to try to remove security vulnerabilities w/ burnettk * we require curl for health checks w/ burnettk * try to scan docker image in ci * use Dockerfile from backend w/ burnettk * continue-on-error w/ burnettk * attempt to elevate permissions of snyk w/ burnettk * added snyk security github workflow w/ burnettk * fixed location of constraints w/ burnettk * add in or true for snyk tests w/ burnettk * sent the snyk token w/ burnettk * specify the directory for the sarif file w/ burnettk * updated spiffworkflow-connector-command for snyk issue w/ burnettk * updated sql statements sanitize input * ignore issues for debug_controller and check frontend with snyk w/ burnettk * updated babel and electron for snyk w/ burnettk * some more updates to fix vulnerabilities w/ burnettk * prune repeated deps for frontend builds since * uncomment ci code so it runs again and use node for frontend base image w/ burnettk * fixed backend image name w/ burnettk * pyl w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com>
46 lines
1.3 KiB
Docker
46 lines
1.3 KiB
Docker
# Base image to share ENV vars that activate VENV.
|
|
FROM node:20.8.1-bookworm-slim AS base
|
|
|
|
RUN mkdir /app
|
|
|
|
WORKDIR /app
|
|
|
|
# this matches total memory on spiffworkflow-demo
|
|
ENV NODE_OPTIONS=--max_old_space_size=2048
|
|
|
|
# Setup image for installing JS dependencies.
|
|
FROM base AS setup
|
|
|
|
COPY . /app/
|
|
|
|
RUN cp /app/package.json /app/package.json.bak
|
|
ADD justservewebserver.package.json /app/package.json
|
|
RUN npm ci --ignore-scripts
|
|
RUN cp -r /app/node_modules /app/node_modules.justserve
|
|
RUN cp /app/package.json.bak /app/package.json
|
|
|
|
# npm ci because it respects the lock file.
|
|
# --ignore-scripts because authors can do bad things in postinstall scripts.
|
|
# https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html
|
|
# npx can-i-ignore-scripts can check that it's safe to ignore scripts.
|
|
RUN npm ci --ignore-scripts
|
|
|
|
RUN ./bin/build
|
|
|
|
# Final image without setup dependencies.
|
|
FROM base AS final
|
|
|
|
LABEL description="Frontend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
|
|
|
|
# WARNING: On localhost frontend assumes backend is one port lower.
|
|
ENV PORT0=7001
|
|
|
|
COPY --from=setup /app/build /app/build
|
|
COPY --from=setup /app/bin /app/bin
|
|
COPY --from=setup /app/node_modules.justserve /app/node_modules
|
|
|
|
RUN chown -R node:node /app
|
|
|
|
USER node
|
|
CMD ["/app/bin/boot_server_in_docker"]
|