security: add upgrade hooks for security patching

- Alpine: apk upgrade active (Alpine patches ship fast)
- Slim/default: apt-get upgrade commented out with guidance
This commit is contained in:
Timothy Jaeryang Baek 2026-03-13 16:43:58 -05:00
parent ae89d2ed11
commit 0f2e4ea178
3 changed files with 11 additions and 0 deletions

View file

@ -39,6 +39,10 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
# Docker CLI + Compose + Buildx (mount socket at runtime for access)
RUN curl -fsSL https://get.docker.com | sh
# Uncomment to apply security patches beyond what the base image provides.
# Not recommended for reproducible builds; prefer bumping the base image tag.
# RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
WORKDIR /app

View file

@ -94,6 +94,9 @@ COPY --from=builder /install /usr/local
WORKDIR /app
COPY . .
# Alpine patches ship fast. Upgrade base packages to pick up security fixes
# that landed after the pinned base image was published.
RUN apk upgrade --no-cache
# Install the app itself (fast — all deps are already present) and grant
# the Python binary cap_setgid so multi-user mode can call setgid().

View file

@ -88,6 +88,10 @@ COPY --from=builder /install /usr/local
WORKDIR /app
COPY . .
# Uncomment to apply security patches beyond what the base image provides.
# Not recommended for reproducible builds; prefer bumping the base image tag.
# RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
# Install the app itself (fast — all deps are already present) and grant
# the Python binary cap_setgid so multi-user mode can call setgid().
# ⚠️ setcap MUST run in the same layer as the binary to avoid overlay2 issues.