mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
7fb70210a408e4cc5f8c4e6896de5d6f4c09c16a
stack/apps/orchestrator/Dockerfile
Jason Woltje 7fb70210a4
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
fix(ci): move spec removal to builder stage + suppress tar CVEs 
Two Trivy fixes:

1. Dockerfile: moved spec/test file deletion from production RUN step
   to builder stage. The previous approach (COPY then RUN rm) left files
   in the COPY layer — Trivy scans all layers, not just the final FS.
   Now spec files are deleted in builder BEFORE COPY to production.

2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with
   documented rationale. tar@7.5.2 is bundled inside npm which ships
   with node:20-alpine. Not upgradeable — not our dependency. npm is
   already removed from all production images.

Verified: local Trivy scan passes (exit code 0, 0 findings)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 19:19:27 -06:00

114 lines
4.0 KiB
Docker
Raw Blame History

# syntax=docker/dockerfile:1
# Enable BuildKit features for cache mounts
# Base image for all stages
FROM node:20-alpine AS base
# Install pnpm globally
RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
# Set working directory
WORKDIR /app
# Copy monorepo configuration files
COPY pnpm-workspace.yaml package.json pnpm-lock.yaml ./
COPY turbo.json ./
# ======================
# Dependencies stage
# ======================
FROM base AS deps
# Copy all package.json files for workspace resolution
COPY packages/shared/package.json ./packages/shared/
COPY packages/config/package.json ./packages/config/
COPY apps/orchestrator/package.json ./apps/orchestrator/
# Install ALL dependencies (not just production)
# This ensures NestJS packages and other required deps are available
RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
pnpm install --frozen-lockfile
# ======================
# Builder stage
# ======================
FROM base AS builder
# Copy root node_modules from deps
COPY --from=deps /app/node_modules ./node_modules
# Copy all source code
COPY packages ./packages
COPY apps/orchestrator ./apps/orchestrator
# Copy workspace node_modules from deps
COPY --from=deps /app/packages/shared/node_modules ./packages/shared/node_modules
COPY --from=deps /app/packages/config/node_modules ./packages/config/node_modules
COPY --from=deps /app/apps/orchestrator/node_modules ./apps/orchestrator/node_modules
# Build the orchestrator app using TurboRepo
RUN pnpm turbo build --filter=@mosaic/orchestrator
# Remove compiled test/spec files from dist BEFORE copying to production.
# These contain test fixture secrets (fake AWS keys, RSA keys) that trigger Trivy.
# Must happen in builder stage so they never appear in any production image layer.
RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map' -o -name '*.test.js' -o -name '*.test.js.map' \) -delete
# ======================
# Production stage
# ======================
FROM node:20-alpine AS production
# Add metadata labels
LABEL maintainer="mosaic-team@mosaicstack.dev"
LABEL version="0.0.6"
LABEL description="Mosaic Orchestrator - Agent orchestration service"
LABEL org.opencontainers.image.source="https://git.mosaicstack.dev/mosaic/stack"
LABEL org.opencontainers.image.vendor="Mosaic Stack"
LABEL org.opencontainers.image.title="Mosaic Orchestrator"
LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install wget and dumb-init
RUN apk add --no-cache wget dumb-init
# Create non-root user
RUN addgroup -g 1001 -S nodejs && adduser -S nestjs -u 1001
WORKDIR /app
# Copy node_modules from builder (includes all dependencies)
COPY --from=builder --chown=nestjs:nodejs /app/node_modules ./node_modules
# Copy built packages (includes dist/ directories)
COPY --from=builder --chown=nestjs:nodejs /app/packages ./packages
# Copy built orchestrator application (spec/test files already removed in builder stage)
COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/dist ./apps/orchestrator/dist
COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/package.json ./apps/orchestrator/
# Copy app's node_modules which contains symlinks to root node_modules
COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/node_modules ./apps/orchestrator/node_modules
# Set working directory to orchestrator app
WORKDIR /app/apps/orchestrator
# Switch to non-root user
USER nestjs
# Expose orchestrator port
EXPOSE 3001
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:3001/health || exit 1
# Use dumb-init to handle signals properly
ENTRYPOINT ["dumb-init", "--"]
# Start the application
CMD ["node", "dist/main.js"]
Reference in New Issue View Git Blame Copy Permalink