status-im/spiff-arena
2
0
Fork 0
mirror of https://github.com/status-im/spiff-arena.git synced 2025-01-11 10:44:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
spiff-arena/spiffworkflow-backend/Dockerfile
jasquat fe4dc14b8d Feature/docker CVE issues (#558) 
* updated Dockerfile to try to remove security vulnerabilities w/ burnettk

* we require curl for health checks w/ burnettk

* try to scan docker image in ci

* use Dockerfile from backend w/ burnettk

* continue-on-error w/ burnettk

* attempt to elevate permissions of snyk w/ burnettk

* added snyk security github workflow w/ burnettk

* fixed location of constraints w/ burnettk

* add in or true for snyk tests w/ burnettk

* sent the snyk token w/ burnettk

* specify the directory for the sarif file w/ burnettk

* updated spiffworkflow-connector-command for snyk issue w/ burnettk

* updated sql statements sanitize input

* ignore issues for debug_controller and check frontend with snyk w/ burnettk

* updated babel and electron for snyk w/ burnettk

* some more updates to fix vulnerabilities w/ burnettk

* prune repeated deps for frontend builds since

* uncomment ci code so it runs again and use node for frontend base image w/ burnettk

* fixed backend image name w/ burnettk

* pyl w/ burnettk

---------

Co-authored-by: jasquat <jasquat@users.noreply.github.com>
2023-10-19 14:22:52 -04:00

58 lines
2.0 KiB
Docker
Raw Blame History

# Base image to share ENV vars that activate VENV.
FROM python:3.11.6-slim-bookworm AS base
ENV VIRTUAL_ENV=/app/venv
RUN python3 -m venv $VIRTUAL_ENV
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
WORKDIR /app
# base plus packages needed for deployment. Could just install these in final, but then we can't cache as much.
# vim is just for debugging
FROM base AS deployment
# git-core because the app does "git commit", etc
# curl because the docker health check uses it
# gunicorn3 for web server
# default-mysql-client for convenience accessing mysql docker container
# vim ftw
RUN apt-get update \
&& apt-get clean -y \
&& apt-get install -y -q git-core curl gunicorn3 default-mysql-client vim \
&& rm -rf /var/lib/apt/lists/*
RUN pip install poetry==1.6.1
# Setup image for installing Python dependencies.
FROM base AS setup
# poetry 1.4 seems to cause an issue where it errors with
# This error originates from the build backend, and is likely not a
# problem with poetry but with lazy-object-proxy (1.7.1) not supporting PEP 517 builds.
# You can verify this by running 'pip wheel --use-pep517 "lazy-object-proxy (==1.7.1) ; python_version >= "3.6""'.
# Pinnning to 1.3.2 to attempt to avoid it.
RUN pip install poetry==1.6.1
RUN useradd _gunicorn --no-create-home --user-group
# default-libmysqlclient-dev for mysqlclient lib
RUN apt-get update \
&& apt-get install -y -q gcc libssl-dev libpq-dev default-libmysqlclient-dev pkg-config
# poetry install takes a long time and can be cached if dependencies don't change,
# so that's why we tolerate running it twice.
COPY pyproject.toml poetry.lock /app/
RUN poetry install --without dev
COPY . /app
RUN poetry install --without dev
# Final image without setup dependencies.
FROM deployment AS final
LABEL source="https://github.com/sartography/spiff-arena"
LABEL description="Backend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
COPY --from=setup /app /app
CMD ["./bin/boot_server_in_docker"]
Reference in New Issue View Git Blame Copy Permalink