mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
0d5aa5c3ae96fc0490433683c8730231ee8f3f67
stack/docker/postgres/Dockerfile
Jason Woltje 3833805a93
Some checks failed
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/api Pipeline was successful
Details
fix(ci): mitigate 11 upstream CVEs at source instead of suppressing 
- docker/postgres/Dockerfile: build gosu from source with Go 1.26 via
  multi-stage build (eliminates 1 CRITICAL + 5 HIGH Go stdlib CVEs)
- apps/{api,web,orchestrator}/Dockerfile: remove npm from production
  images (eliminates 5 HIGH CVEs in npm's bundled cross-spawn/glob/tar)
- .trivyignore: trimmed from 16 to 5 CVEs (OpenBao only — 4 false
  positives from Go pseudo-version + 1 real Go stdlib waiting on upstream)

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 17:10:44 -06:00

45 lines
1.4 KiB
Docker
Raw Blame History

# PostgreSQL with pgvector and gosu built from source
#
# gosu is built from source with Go 1.26 to eliminate 6 Go stdlib CVEs
# (CVE-2025-68121 CRITICAL + 5 HIGH) present in the tianon/gosu pre-built binary.
# Stage 1: Build gosu from source with Go 1.26
FROM golang:1.26-alpine AS gosu-builder
RUN apk add --no-cache git
RUN git clone --branch 1.17 https://github.com/tianon/gosu.git /src/gosu
WORKDIR /src/gosu
RUN go build -v -ldflags '-s -w' -o /bin/gosu .
FROM postgres:17.7-alpine3.22
LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
# Copy gosu binary built from source in the gosu-builder stage
COPY --from=gosu-builder /bin/gosu /usr/local/bin/gosu
RUN chmod +x /usr/local/bin/gosu && gosu nobody true
# Update Alpine packages for any remaining OS-level patches
RUN apk update && apk upgrade
# Install build dependencies for pgvector
RUN apk add --no-cache --virtual .build-deps \
git \
build-base
# Clone and build pgvector v0.7.4 (without LLVM bitcode compilation)
RUN git clone --branch v0.7.4 https://github.com/pgvector/pgvector.git /tmp/pgvector \
&& cd /tmp/pgvector \
&& make OPTFLAGS="" with_llvm=no \
&& make install with_llvm=no \
&& rm -rf /tmp/pgvector
# Clean up build dependencies to reduce image size
RUN apk del .build-deps
# Copy initialization scripts
COPY init-scripts/ /docker-entrypoint-initdb.d/
# Expose PostgreSQL port
EXPOSE 5432
Reference in New Issue View Git Blame Copy Permalink