-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
100 lines (74 loc) · 3.3 KB
/
Dockerfile
File metadata and controls
100 lines (74 loc) · 3.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# Multi-stage Dockerfile for VulnForge
# Bun version pinned by .bun-version, passed as BUN_VERSION build-arg.
# Global ARG visible only to FROM lines; redeclared per-stage where used in LABEL/RUN.
ARG BUN_VERSION=1.3.13
# Stage 1: Build frontend
FROM oven/bun:${BUN_VERSION}-alpine AS frontend-builder
WORKDIR /app/frontend
# Install dependencies for native bindings (@swc/core, @tailwindcss/oxide)
# Both gcompat and build-base are required for TailwindCSS v4 in Alpine
# See: https://github.com/tailwindlabs/tailwindcss/issues/6690
RUN apk add --no-cache gcompat build-base
COPY frontend/package.json frontend/bun.lock ./
RUN bun install --frozen-lockfile
COPY frontend/ ./
# Build production bundle
RUN bun run build
# Verify build output exists (fail fast if build failed)
RUN test -d dist && test -f dist/index.html
# Stage 2: Build backend
FROM python:3.14-slim AS backend-builder
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app
# Install dependencies from lockfile for reproducible builds
COPY backend/pyproject.toml backend/uv.lock ./
RUN --mount=type=cache,target=/root/.cache/uv \
uv pip install --system --no-cache -r pyproject.toml
# Copy backend code and install the project itself
COPY backend ./
RUN --mount=type=cache,target=/root/.cache/uv \
uv pip install --system --no-cache --no-deps .
# Stage 3: Production image
FROM python:3.14-slim
# Build arguments for metadata
ARG BUILD_DATE
# Re-declare BUN_VERSION inside this stage — Docker ARG scope resets at every
# FROM. Without this redeclaration, ${BUN_VERSION} expands to empty in LABEL.
ARG BUN_VERSION
# OCI-standard labels
LABEL org.opencontainers.image.authors="HomeLabForge"
LABEL org.opencontainers.image.title="VulnForge"
LABEL org.opencontainers.image.url="https://www.homelabforge.io"
LABEL org.opencontainers.image.description="Container vulnerability scanning and management platform"
LABEL org.opencontainers.image.frontend.builder="bun-${BUN_VERSION}"
WORKDIR /app
# Install runtime dependencies, create non-root user, and set up directories
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y --no-install-recommends curl && \
rm -rf /var/lib/apt/lists/* && \
useradd --uid 1000 --user-group --system --create-home --no-log-init vulnforge && \
mkdir -p /data
# Copy Python dependencies from builder
COPY --from=backend-builder /usr/local/lib/python3.14/site-packages /usr/local/lib/python3.14/site-packages
COPY --from=backend-builder /usr/local/bin /usr/local/bin
# Copy application code
COPY --from=backend-builder /app/app /app/app
COPY --from=backend-builder /app/pyproject.toml ./
# Copy frontend build
COPY --from=frontend-builder /app/frontend/dist ./static
# Set ownership and permissions
RUN chown -R vulnforge:vulnforge /app /data && \
chmod -R 755 /app && \
chmod 755 /data
# Switch to non-root user
USER vulnforge
# Expose port
EXPOSE 8787
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
CMD curl -f http://localhost:8787/health || exit 1
# Run application with Granian (Rust-based ASGI server)
# Using 1 worker due to stateful background services (APScheduler, scan queue)
# Granian auto-configures threads for optimal performance
CMD ["granian", "--interface", "asgi", "--host", "0.0.0.0", "--port", "8787", "--workers", "1", "app.main:app"]