From fcca13da06613ec12e081c0c86c74dd8efd48456 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Sun, 15 Mar 2026 18:17:22 +0100 Subject: [PATCH 1/5] Harden Docker image for scanner findings --- Dockerfile | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8a503ae7..e6e3ca8e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,8 @@ -ARG RUBY_BASE_IMAGE=ruby:4.0.1-alpine3.23 +ARG RUBY_BASE_IMAGE=ruby:4.0.1-alpine3.23@sha256:7d1c4a23da9b3539fdeb5f970950a8fe044a707219e546f12152b84bbd5755d1 +ARG NODE_BASE_IMAGE=node:22-alpine@sha256:8094c002d08262dba12645a3b4a15cd6cd627d30bc782f53229a2ec13ee22a00 # Stage 1: Frontend Build -FROM node:22-alpine AS frontend-builder +FROM ${NODE_BASE_IMAGE} AS frontend-builder WORKDIR /app/frontend COPY frontend/package*.json ./ @@ -31,7 +32,11 @@ RUN apk add --no-cache \ && gem install bundler:$(tail -1 Gemfile.lock | tr -d ' ') \ && bundle config set --local without 'development test' \ && bundle install --retry=5 --jobs=$(nproc) \ - && bundle binstubs bundler html2rss + && bundle binstubs bundler html2rss \ + && bundle clean --force \ + && rm -rf /usr/local/bundle/cache \ + /usr/local/bundle/bundler/gems/*/.git \ + /usr/local/bundle/cache/bundler/git # Stage 3: Runtime FROM ${RUBY_BASE_IMAGE} @@ -47,8 +52,15 @@ ENV PORT=4000 \ EXPOSE $PORT HEALTHCHECK --interval=30m --timeout=60s --start-period=5s \ - CMD TOKEN="${HEALTH_CHECK_TOKEN:-CHANGE_ME_HEALTH_CHECK_TOKEN}" && \ - curl -f -H "Authorization: Bearer ${TOKEN}" http://localhost:${PORT}/api/v1/health || exit 1 + CMD ruby -rnet/http -e ' \ + port = ENV.fetch("PORT", "4000") \ + token = ENV.fetch("HEALTH_CHECK_TOKEN", "CHANGE_ME_HEALTH_CHECK_TOKEN") \ + uri = URI("http://localhost:#{port}/api/v1/health") \ + request = Net::HTTP::Get.new(uri) \ + request["Authorization"] = "Bearer #{token}" \ + response = Net::HTTP.start(uri.hostname, uri.port) { |http| http.request(request) } \ + exit(response.is_a?(Net::HTTPSuccess) ? 0 : 1) \ + ' ARG USER=html2rss ARG UID=991 @@ -56,11 +68,8 @@ ARG GID=991 RUN apk add --no-cache \ 'ca-certificates>=2024' \ - 'curl>=8' \ - 'gcompat>=0' \ 'tzdata>=2024' \ - 'libxml2>=2' \ - 'libxslt>=1' \ + && apk upgrade --no-cache zlib \ && addgroup --gid "$GID" "$USER" \ && adduser \ --disabled-password \ @@ -79,7 +88,10 @@ WORKDIR /app USER html2rss COPY --from=builder /usr/local/bundle /usr/local/bundle -COPY --chown=$USER:$USER . /app +COPY --chown=$USER:$USER Gemfile Gemfile.lock app.rb config.ru ./ +COPY --chown=$USER:$USER app ./app +COPY --chown=$USER:$USER config ./config +COPY --chown=$USER:$USER public ./public COPY --from=frontend-builder --chown=$USER:$USER /app/public/frontend ./public/frontend CMD ["bundle", "exec", "puma", "-C", "./config/puma.rb"] From 305d1492bfd091664d8344649cf714c0a2a36c9c Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Sun, 15 Mar 2026 20:25:41 +0100 Subject: [PATCH 2/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e6e3ca8e..af7054e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -52,7 +52,7 @@ ENV PORT=4000 \ EXPOSE $PORT HEALTHCHECK --interval=30m --timeout=60s --start-period=5s \ - CMD ruby -rnet/http -e ' \ + CMD ruby -ruri -rnet/http -e ' \ port = ENV.fetch("PORT", "4000") \ token = ENV.fetch("HEALTH_CHECK_TOKEN", "CHANGE_ME_HEALTH_CHECK_TOKEN") \ uri = URI("http://localhost:#{port}/api/v1/health") \ From 17be3bbb2fd12be0958f082200a8875ce099c11b Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Sun, 15 Mar 2026 20:26:06 +0100 Subject: [PATCH 3/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index af7054e3..70178e5e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,7 +54,8 @@ EXPOSE $PORT HEALTHCHECK --interval=30m --timeout=60s --start-period=5s \ CMD ruby -ruri -rnet/http -e ' \ port = ENV.fetch("PORT", "4000") \ - token = ENV.fetch("HEALTH_CHECK_TOKEN", "CHANGE_ME_HEALTH_CHECK_TOKEN") \ + token = ENV["HEALTH_CHECK_TOKEN"] \ + token = "CHANGE_ME_HEALTH_CHECK_TOKEN" if token.nil? || token.empty? \ uri = URI("http://localhost:#{port}/api/v1/health") \ request = Net::HTTP::Get.new(uri) \ request["Authorization"] = "Bearer #{token}" \ From 0a9a4849bd1c1fb99b11f37eefa7fca2c3b36748 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Sun, 15 Mar 2026 20:33:18 +0100 Subject: [PATCH 4/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 70178e5e..a52c7707 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,7 +70,7 @@ ARG GID=991 RUN apk add --no-cache \ 'ca-certificates>=2024' \ 'tzdata>=2024' \ - && apk upgrade --no-cache zlib \ + 'zlib=1.2.13-r1' \ && addgroup --gid "$GID" "$USER" \ && adduser \ --disabled-password \ From e0a2ff39d94ee4da20f915e69d7bf51599a9e606 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Sun, 15 Mar 2026 20:33:47 +0100 Subject: [PATCH 5/5] Apply suggestion from @gildesmarais --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a52c7707..06f91b71 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,7 +70,7 @@ ARG GID=991 RUN apk add --no-cache \ 'ca-certificates>=2024' \ 'tzdata>=2024' \ - 'zlib=1.2.13-r1' \ + 'zlib>=1.3.2-r0' \ && addgroup --gid "$GID" "$USER" \ && adduser \ --disabled-password \