fix(docker): harden Dockerfile — pipefail, no curl|bash, healthcheck, .dockerignore#8
Open
Guimove wants to merge 2 commits into
Open
fix(docker): harden Dockerfile — pipefail, no curl|bash, healthcheck, .dockerignore#8Guimove wants to merge 2 commits into
Guimove wants to merge 2 commits into
Conversation
… dockerignore - Add SHELL [/bin/bash -o pipefail -c] globally so pipe failures are not silently ignored (DF057) - Download remote install scripts to /tmp before executing instead of piping curl directly into bash/sh (DF021): NodeSource setup, Qovery CLI, RTK, Qovery Skills - Replace curl -s with curl -fsSL on Qovery CLI install so HTTP errors fail the build (DF035) - Remove cd in RUN for GitHub CLI and Zellij blocks — use absolute /tmp paths instead (DF008) - Add apt-get clean before rm -rf /var/lib/apt/lists/* (DF004) - Add HEALTHCHECK against port 8080 with 60s start period (DF012) - Add .dockerignore to exclude .git, node_modules, secrets, logs, CI configs from build context (DF033) USER root is kept in two intentional places with comments: 1. System package installation (required) 2. Entrypoint privilege drop — root needed to fix volume ownership, entrypoint drops to coder Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…6 via file, rm wget/htop, pin bundler - Move apt-get clean + rm /var/lib/apt/lists/* after gem install so linter parses cleanup correctly (DF004) - Remove inline comments from apt-get install block that were confusing the linter - Replace echo|sha256sum pipes with checksum file (sha256sum -c file) to avoid false-positive DF021/DF057 on verification blocks - Remove wget (curl is already installed, no need for both) — fixes DF058 - Remove htop (no interactive monitoring in containers) — fixes DF060 - Pin bundler to version 2.5.23 — fixes DF053 Remaining: 2x DF002 USER root (intentional — system install + entrypoint volume chown before su coder)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes all errors and warnings reported by the Dockerfile linter (droast). Build tested locally ✅
droast score
Changes
SHELL ["/bin/bash", "-o", "pipefail", "-c"]applied globallycurl | bash(×4)/tmpfirst, execute, delete — NodeSource, Qovery CLI, RTK, Qovery Skillscurlwithout--failcurl -fsSLon Qovery CLI installecho | sha256sumfalse positivessha256sum -c file) in GitHub CLI, Zellij, ttyd blockscdin RUN (×2)/tmp/paths in GitHub CLI and Zellij blocksapt-get clean+rm -rf /var/lib/apt/lists/*as last commands in apt block; removed inline comments that confused the linterwget(curl is used everywhere)htopin containergem install bundler:2.5.23HEALTHCHECKcurl against port 8080, 60s start period.git,node_modules, secrets, logs, CI configsNot changed (intentional)
USER root×2 — both are load-bearing: (1) system package installation, (2) entrypoint needs root tochownvolume-mounted/home/coderbefore dropping to thecoderuser.npm install -g—npm cicannot install global packages; linter false positive.