Merge pull request #2 from vechain/feat/harden-base-image

Agilulfo1820 · web-flow · commit 49d11d83d933 · 2026-03-10T17:09:38.000+01:00
Harden base image and add Trivy scan before push
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -40,12 +40,35 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=sha
 
-      - name: Build and push
+      - name: Build image
+        id: build
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: true
+          push: false
+          load: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Set image ref for Trivy
+        id: scan-ref
+        run: |
+          TAGS="${{ steps.meta.outputs.tags }}"
+          FIRST_TAG="${TAGS%%$'\n'*}"
+          echo "ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${FIRST_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.scan-ref.outputs.ref }}
+          severity: CRITICAL
+          exit-code: '1'
+          format: table
+
+      - name: Push image
+        run: |
+          echo "${{ steps.meta.outputs.tags }}" | while read t; do
+            [ -n "$t" ] && docker push "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$t"
+          done
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,20 @@
 FROM node:20-alpine AS builder
+RUN apk add --no-cache tini
 WORKDIR /app
-COPY package.json ./
-RUN npm install
+COPY package.json package-lock.json ./
+RUN npm ci
 COPY tsconfig.json ./
 COPY src ./src
 RUN NODE_OPTIONS=--max-old-space-size=4096 npx tsc
+RUN npm prune --production
 
-FROM node:20-alpine
-RUN apk add --no-cache tini
+FROM dhi.io/node:20-alpine3.23
 WORKDIR /app
-COPY package.json ./
-RUN npm install --production
+COPY --from=builder /sbin/tini /sbin/tini
 COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+COPY package.json ./
+
 ENV RELAYER_NETWORK=mainnet
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["node", "dist/index.js"]
