chore(api): generate Prisma client during Docker image build

[Marfuen]

What does this PR do?

• Fixes #XXXX (GitHub issue number)
• Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
app	Skipped			Oct 14, 2025 8:35pm
portal	Skipped			Oct 14, 2025 8:35pm

[comp-ai-code-review]

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

No OSV/CVE findings; Dockerfile pipes a remote installer into a shell (curl | bash) — a command-injection risk visible in the diff.

---

📦 Dependency Vulnerabilities

✅ No known vulnerabilities detected in dependencies.

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🔴 apps/api/Dockerfile (HIGH Risk)

#	Issue	Risk Level
1	Unverified remote installer (curl	bash) — supply-chain & command injection risk
2	Installer URL not pinned; no checksum verification	HIGH
3	Prisma generate runs in-image and may access build-time secrets	HIGH
4	Including curl/bash in image increases attack surface	HIGH

Recommendations:

1. Avoid piping remote scripts to a shell. Prefer installed packages from trusted package repositories, download a specific, pinned release archive and verify its checksum/signature before executing.
2. Pin the installer URL to a specific version (release tarball/commit) and verify integrity (SHA256 or GPG signature) before running. Do not rely on unpinned bootstrap scripts.
3. Use a multi-stage build: perform bun install, bunx prisma generate and any build-time steps in a builder stage, then copy only the runtime artifacts into a minimal final image. This removes curl/bash and other build tools from the final image.
4. Do not run prisma generate inside the final runtime image if it requires access to secrets (DB credentials). Run it in the build stage or in CI and copy the generated client into the final image. If build-time secrets are needed, use BuildKit secrets or CI secret mechanisms so they are not persisted in image layers.
5. Remove curl, bash, wget and other unnecessary packages from the final image to reduce attack surface. If a tool is required only for installation, install it in a builder stage and do not copy it into the final image.
6. Continue to use a .dockerignore (already present) to avoid accidentally baking local secrets like .env into the image. Review the .dockerignore to ensure all secret files and local state are excluded.

---

💡 Recommendations

View 3 recommendation(s)

1. Do not pipe remote content directly to a shell in the Dockerfile. Instead download the installer to a file (e.g. curl -fSL -o /tmp/install.sh), inspect or include the script in source, then run it explicitly.
2. Run bun install and prisma generate in a dedicated builder stage and COPY only the generated Prisma client and runtime artifacts into the final image so generation does not occur in the runtime image.
3. Ensure build tooling (curl, bash, package managers) is installed only in the builder stage and not left in the final image (remove packages and clean apt/cache before final stage).

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Oct 14, 2025

[claudfuen]

🎉 This PR is included in version 1.56.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀