3777cde69a
Security-Audit ergab 3 CRITICAL CVEs im python:3.12-slim-Base (Debian-Bullseye-Reste, deren Updates erst mit Debian-Bookworm-Bump kommen). Wechsel auf python:3.12-alpine, das aktuell 0 CRITICAL hat. Aenderungen: - FROM python:3.12-slim -> python:3.12-alpine - apt-get -> apk add (zwei Phasen: runtime + build-deps mit virtual, build-deps werden nach pip install entfernt) - adduser-Syntax: Alpine `adduser -D -u 1000` statt Debian-Variante - Zusaetzliche build-deps fuer C-Extensions: build-base, gcc, musl-dev, rust+cargo (cryptography), libxml2-dev/libxslt-dev (lxml), openssl-dev - Runtime-Pakete fuer WeasyPrint: pango, cairo, gdk-pixbuf, shared-mime-info, fontconfig, ttf-dejavu Image-Groessen-Effekt: Alpine + alle Build-Deps nach Cleanup ~250 MB statt slim ~480 MB. Auto-Deploy auf gwoe-antragspruefer-dev rebuilt sich alle 5 Min via auto-deploy.sh-Cron — Wirksamkeit innerhalb der naechsten 10 Min sichtbar. gwoe-antragspruefer (prod, eingefroren auf v1.0.2) bekommt das beim naechsten Release. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
61 lines
1.5 KiB
Docker
61 lines
1.5 KiB
Docker
FROM python:3.12-alpine
|
|
|
|
# Runtime-Pakete für WeasyPrint (Pango/Cairo) und PDF-Pipeline.
|
|
# Alpine-Pakete sind kleiner als die Debian-slim-Pendants und der
|
|
# Base-Image hat aktuell 0 CRITICAL CVEs (vs. 3 in python:3.12-slim,
|
|
# Stand Mai 2026 / Security-Audit).
|
|
RUN apk add --no-cache \
|
|
pango \
|
|
cairo \
|
|
gdk-pixbuf \
|
|
shared-mime-info \
|
|
fontconfig \
|
|
ttf-dejavu \
|
|
libffi \
|
|
libxml2 \
|
|
libxslt
|
|
|
|
# Build-Toolchain temporär für pip-Wheels (musllinux-fallbacks bauen
|
|
# pymupdf, cffi, lxml, cryptography ggf. lokal).
|
|
RUN apk add --no-cache --virtual .build-deps \
|
|
build-base \
|
|
gcc \
|
|
musl-dev \
|
|
libffi-dev \
|
|
jpeg-dev \
|
|
zlib-dev \
|
|
cairo-dev \
|
|
pango-dev \
|
|
gdk-pixbuf-dev \
|
|
libxml2-dev \
|
|
libxslt-dev \
|
|
openssl-dev \
|
|
rust \
|
|
cargo
|
|
|
|
WORKDIR /app
|
|
|
|
# Install Python dependencies
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir --upgrade pip wheel \
|
|
&& pip install --no-cache-dir -r requirements.txt \
|
|
&& apk del .build-deps
|
|
|
|
# Copy application code only (data/reports are mounted as volumes)
|
|
COPY app/ ./app/
|
|
|
|
# Create non-root user and directories (#119 Security)
|
|
RUN adduser -D -u 1000 appuser \
|
|
&& mkdir -p /app/data /app/reports \
|
|
&& chown -R appuser:appuser /app
|
|
|
|
USER appuser
|
|
|
|
# Environment
|
|
ENV PYTHONUNBUFFERED=1
|
|
ENV PYTHONDONTWRITEBYTECODE=1
|
|
|
|
EXPOSE 8000
|
|
|
|
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
|