containerfile: consolidate security pins in requirements.txt
All checks were successful
CI / Security Scan (push) Successful in 20s
CI / Lint & Format (push) Successful in 22s
CI / Advanced Security Tests (push) Successful in 17s
CI / Memory Leak Check (push) Successful in 21s
CI / Security Tests (push) Successful in 26s
CI / Unit Tests (push) Successful in 34s
CI / Fuzz Testing (push) Successful in 25s
CI / SBOM Generation (push) Successful in 19s
CI / Build & Push Image (push) Successful in 42s
CI / Harbor Vulnerability Scan (push) Successful in 33s
All checks were successful
CI / Security Scan (push) Successful in 20s
CI / Lint & Format (push) Successful in 22s
CI / Advanced Security Tests (push) Successful in 17s
CI / Memory Leak Check (push) Successful in 21s
CI / Security Tests (push) Successful in 26s
CI / Unit Tests (push) Successful in 34s
CI / Fuzz Testing (push) Successful in 25s
CI / SBOM Generation (push) Successful in 19s
CI / Build & Push Image (push) Successful in 42s
CI / Harbor Vulnerability Scan (push) Successful in 33s
This commit is contained in:
Username
@@ -18,10 +18,9 @@ RUN python -m venv /opt/venv
|
|||||||
ENV PATH="/opt/venv/bin:$PATH"
|
ENV PATH="/opt/venv/bin:$PATH"
|
||||||
RUN pip install --no-cache-dir --upgrade "pip>=25.3" wheel
|
RUN pip install --no-cache-dir --upgrade "pip>=25.3" wheel
|
||||||
|
|
||||||
# Install Python dependencies
|
# Install Python dependencies (includes security pins from requirements.txt)
|
||||||
COPY requirements.txt .
|
COPY requirements.txt .
|
||||||
RUN pip install --no-cache-dir -r requirements.txt gunicorn && \
|
RUN pip install --no-cache-dir -r requirements.txt gunicorn
|
||||||
pip install --no-cache-dir --upgrade "pip>=25.3" "jaraco.context>=6.1.0"
|
|
||||||
|
|
||||||
|
|
||||||
# Stage 2: Alpine runtime (minimal)
|
# Stage 2: Alpine runtime (minimal)
|
||||||
@@ -30,8 +29,10 @@ FROM python:3.11-alpine
|
|||||||
LABEL maintainer="FlaskPaste"
|
LABEL maintainer="FlaskPaste"
|
||||||
LABEL description="Minimal secure pastebin REST API (Alpine)"
|
LABEL description="Minimal secure pastebin REST API (Alpine)"
|
||||||
|
|
||||||
# Upgrade base image pip to fix CVE-2025-8869
|
# Apply security fixes to base image (versions from requirements.txt)
|
||||||
RUN pip install --no-cache-dir --upgrade "pip>=25.3" "jaraco.context>=6.1.0"
|
COPY requirements.txt /tmp/
|
||||||
|
RUN pip install --no-cache-dir --upgrade pip && \
|
||||||
|
pip install --no-cache-dir -r /tmp/requirements.txt && rm /tmp/requirements.txt
|
||||||
|
|
||||||
# Create non-root user
|
# Create non-root user
|
||||||
RUN addgroup -g 65532 -S flaskpaste && adduser -u 65532 -S -G flaskpaste flaskpaste
|
RUN addgroup -g 65532 -S flaskpaste && adduser -u 65532 -S -G flaskpaste flaskpaste
|
||||||
|
|||||||
@@ -11,6 +11,7 @@ prometheus-flask-exporter>=0.23
|
|||||||
cryptography>=42.0
|
cryptography>=42.0
|
||||||
|
|
||||||
# Security fixes (transitive dependency pins)
|
# Security fixes (transitive dependency pins)
|
||||||
|
pip>=25.3
|
||||||
urllib3>=2.6.3
|
urllib3>=2.6.3
|
||||||
jaraco.context>=6.1.0
|
jaraco.context>=6.1.0
|
||||||
setuptools>=80.0
|
setuptools>=80.0
|
||||||
|
|||||||
Reference in New Issue
Block a user