Merge pull request #506 from ansforge/chore/security/fix-healthcheck-vulnerabilities

issam71100 · web-flow · commit e991eb78e6ed · 2026-01-22T17:34:23.000+01:00
chore/security(healthcheck) : fix vulnerabilities
diff --git a/tools/healthcheck/Dockerfile b/tools/healthcheck/Dockerfile
@@ -1,5 +1,5 @@
 # Use an official Python runtime as a parent image
-FROM python:3.11-slim
+FROM python:3.14-alpine
 
 # Set environment variables
 ENV PYTHONDONTWRITEBYTECODE=1 \
@@ -8,16 +8,15 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
     UV_LINK_MODE=copy
 
 # Install system dependencies and uv
-RUN apt-get update && apt-get install -y \
+RUN apk add --no-cache \
     curl \
     ca-certificates \
-    && rm -rf /var/lib/apt/lists/* \
     && curl -LsSf https://astral.sh/uv/install.sh | sh \
     && mv /root/.local/bin/uv /usr/local/bin/uv \
     && mv /root/.local/bin/uvx /usr/local/bin/uvx
 
 # Create a non-root user and group
-RUN groupadd -r -g 1000 healthcheck && useradd -r -u 1000 -g healthcheck healthcheck
+RUN addgroup -g 1000 healthcheck && adduser -D -u 1000 -G healthcheck healthcheck
 
 # Set the working directory in the container
 WORKDIR /app
diff --git a/tools/healthcheck/pyproject.toml b/tools/healthcheck/pyproject.toml
@@ -12,7 +12,7 @@ dependencies = [
     "prometheus-client==0.23.1",
     "prometheus-flask-exporter==0.23.2",
     "requests==2.32.5",
-    "werkzeug==3.1.3",
+    "werkzeug==3.1.5",
 ]
 
 [tool.coverage.run]
diff --git a/tools/healthcheck/uv.lock b/tools/healthcheck/uv.lock
