Pin Dockerfile base images to SHA256 digests
Mutable tags on Docker Hub enable RCE during builds. Pin to exact digests with version/date comments for auditability.
This commit is contained in:
parent
e106dd5332
commit
ca403e68d1
@ -1,11 +1,13 @@
|
|||||||
FROM node:22-alpine AS build
|
# node:22-alpine as of 2026-02-22
|
||||||
|
FROM node@sha256:e4bf2a82ad0a4037d28035ae71529873c069b13eb0455466ae0bc13363826e34 AS build
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
COPY package.json yarn.lock ./
|
COPY package.json yarn.lock ./
|
||||||
RUN yarn install --frozen-lockfile
|
RUN yarn install --frozen-lockfile
|
||||||
COPY . .
|
COPY . .
|
||||||
RUN yarn build
|
RUN yarn build
|
||||||
|
|
||||||
FROM nginx:stable-alpine
|
# nginx:stable-alpine as of 2026-02-22
|
||||||
|
FROM nginx@sha256:15e96e59aa3b0aada3a121296e3bce117721f42d88f5f64217ef4b18f458c6ab
|
||||||
# Remove default config
|
# Remove default config
|
||||||
RUN rm /etc/nginx/conf.d/default.conf
|
RUN rm /etc/nginx/conf.d/default.conf
|
||||||
# Custom nginx config: real_ip from RFC1918, access_log to stdout
|
# Custom nginx config: real_ip from RFC1918, access_log to stdout
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user