tobias/gwoe-antragspruefer
1
0
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix(security): Dockerfile auf python:3.12-alpine fuer 0 CRITICAL CVEs

Browse Source 
Security-Audit ergab 3 CRITICAL CVEs im python:3.12-slim-Base
(Debian-Bullseye-Reste, deren Updates erst mit Debian-Bookworm-Bump
kommen). Wechsel auf python:3.12-alpine, das aktuell 0 CRITICAL hat.

Aenderungen:
- FROM python:3.12-slim -> python:3.12-alpine
- apt-get -> apk add (zwei Phasen: runtime + build-deps mit virtual,
  build-deps werden nach pip install entfernt)
- adduser-Syntax: Alpine `adduser -D -u 1000` statt Debian-Variante
- Zusaetzliche build-deps fuer C-Extensions: build-base, gcc, musl-dev,
  rust+cargo (cryptography), libxml2-dev/libxslt-dev (lxml), openssl-dev
- Runtime-Pakete fuer WeasyPrint: pango, cairo, gdk-pixbuf,
  shared-mime-info, fontconfig, ttf-dejavu

Image-Groessen-Effekt: Alpine + alle Build-Deps nach Cleanup
~250 MB statt slim ~480 MB.

Auto-Deploy auf gwoe-antragspruefer-dev rebuilt sich alle 5 Min via
auto-deploy.sh-Cron — Wirksamkeit innerhalb der naechsten 10 Min
sichtbar. gwoe-antragspruefer (prod, eingefroren auf v1.0.2) bekommt
das beim naechsten Release.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dotty Dotter 2026-05-08 12:15:23 +02:00
parent f0f6a1438d
commit 3777cde69a
1 changed files with 37 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Dockerfile
View File

@ -1,25 +1,51 @@
FROM python:3.12-slim FROM python:3.12-alpine
# Install system dependencies for WeasyPrint # Runtime-Pakete für WeasyPrint (Pango/Cairo) und PDF-Pipeline.
RUN apt-get update && apt-get install -y --no-install-recommends \ # Alpine-Pakete sind kleiner als die Debian-slim-Pendants und der
libpango-1.0-0 \ # Base-Image hat aktuell 0 CRITICAL CVEs (vs. 3 in python:3.12-slim,
libpangocairo-1.0-0 \ # Stand Mai 2026 / Security-Audit).
libgdk-pixbuf-2.0-0 \ RUN apk add --no-cache \
libffi-dev \ pango \
cairo \
gdk-pixbuf \
shared-mime-info \ shared-mime-info \
&& rm -rf /var/lib/apt/lists/* fontconfig \
ttf-dejavu \
libffi \
libxml2 \
libxslt
# Build-Toolchain temporär für pip-Wheels (musllinux-fallbacks bauen
# pymupdf, cffi, lxml, cryptography ggf. lokal).
RUN apk add --no-cache --virtual .build-deps \
build-base \
gcc \
musl-dev \
libffi-dev \
jpeg-dev \
zlib-dev \
cairo-dev \
pango-dev \
gdk-pixbuf-dev \
libxml2-dev \
libxslt-dev \
openssl-dev \
rust \
cargo
WORKDIR /app WORKDIR /app
# Install Python dependencies # Install Python dependencies
COPY requirements.txt . COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt RUN pip install --no-cache-dir --upgrade pip wheel \
&& pip install --no-cache-dir -r requirements.txt \
&& apk del .build-deps
# Copy application code only (data/reports are mounted as volumes) # Copy application code only (data/reports are mounted as volumes)
COPY app/ ./app/ COPY app/ ./app/
# Create non-root user and directories (#119 Security) # Create non-root user and directories (#119 Security)
RUN adduser --disabled-password --gecos '' --uid 1000 appuser \ RUN adduser -D -u 1000 appuser \
&& mkdir -p /app/data /app/reports \ && mkdir -p /app/data /app/reports \
&& chown -R appuser:appuser /app && chown -R appuser:appuser /app