Skip to content

build: harden docker image for scanner findings#881

Merged
gildesmarais merged 5 commits intomainfrom
feat/docker-harden-scan
Mar 15, 2026
Merged

build: harden docker image for scanner findings#881
gildesmarais merged 5 commits intomainfrom
feat/docker-harden-scan

Conversation

@gildesmarais
Copy link
Copy Markdown
Member

@gildesmarais gildesmarais commented Mar 15, 2026

Summary

  • pin the Ruby and Node base images by digest
  • shrink the runtime image by copying only app runtime files and removing curl-based health checks
  • prune Bundler cache and git metadata, remove unnecessary runtime XML packages, and upgrade runtime zlib

Verification

  • docker compose -f .devcontainer/docker-compose.yml exec -T app make ready
  • docker build -t html2rss/web-security-smoke -f Dockerfile .
  • docker run --rm html2rss/web-security-smoke ruby -e 'require "nokogiri"; puts Nokogiri::VERSION_INFO.to_h'

Notes

  • Nokogiri still loads correctly after removing Alpine runtime libxml2/libxslt packages.
  • curl is no longer shipped in the final runtime image.
  • An unrelated local change in AGENTS.md was left unstaged and is not part of this PR.

@gildesmarais gildesmarais changed the title Harden Docker image for scanner findings build: harden docker image for scanner findings Mar 15, 2026
@gildesmarais gildesmarais requested a review from Copilot March 15, 2026 19:13
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the project’s Docker image to address scanner findings by pinning base images, reducing the runtime footprint, and trimming build artifacts in the final image.

Changes:

  • Pin Ruby and Node base images by digest and use the pinned Node image for the frontend build stage.
  • Reduce image size by cleaning Bundler artifacts and copying only runtime app files into the final stage.
  • Remove curl-based health checks and replace them with a Ruby Net::HTTP healthcheck; drop several runtime APK packages and upgrade zlib.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread Dockerfile Outdated
Comment thread Dockerfile Outdated
Comment thread Dockerfile Outdated
gildesmarais and others added 3 commits March 15, 2026 20:25
@gildesmarais
Potential fix for pull request finding
305d149 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@gildesmarais
Potential fix for pull request finding
17be3bb 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@gildesmarais
Potential fix for pull request finding
0a9a484 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
gildesmarais
gildesmarais commented Mar 15, 2026
View reviewed changes
Comment thread Dockerfile Outdated
@gildesmarais gildesmarais merged commit ead6312 into main Mar 15, 2026
12 checks passed
@gildesmarais gildesmarais deleted the feat/docker-harden-scan branch March 15, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gildesmarais