Issue Report
DOCKERFILE Improvements
Expected behavior
Running as a non-root user helps to avoid security risks; Using Security Headers is a good best practice.
Actual behavior
DOCKERFILE
The Dockerfile is structured in a multi-stage build format which is good for optimizing the
final image size. I'll walk you through each part of the Dockerfile and point out any concerns or
recommendations:
- Builder Stage (Node.js Build Phase):
-
FROM node:18.12.1-alpine as builder: You're using a specific version of Node.js
with Alpine, which is a lightweight distro. This is a good practice as it minimizes
the image size and reduces potential attack surfaces.
-
COPY package.json yarn.lock ./: Good! You're copying only the necessary files
for the yarn install command. This takes advantage of Docker's caching
mechanism and ensures faster builds if no dependencies change.
-
Recommendations: Consider using a non-root user even in the builder stage. Running as a non-root
user is a security best practice.
- Production Environment (Nginx Server):
- It would be beneficial to use a non-root user to run the Nginx process. By default,
Nginx will run as root, which is not recommended in a container environment.
- Consider adding security headers in your Nginx configuration for added security.
Examples include: Strict-Transport-Security, Content-Security-Policy,
X-Content-Type-Options, X-Frame-Options, etc
Issue Report
DOCKERFILE Improvements
Expected behavior
Running as a non-root user helps to avoid security risks; Using Security Headers is a good best practice.
Actual behavior
DOCKERFILEThe Dockerfile is structured in a multi-stage build format which is good for optimizing the
final image size. I'll walk you through each part of the Dockerfile and point out any concerns or
recommendations:
FROM node:18.12.1-alpine as builder: You're using a specific version of Node.js
with Alpine, which is a lightweight distro. This is a good practice as it minimizes
the image size and reduces potential attack surfaces.
COPY package.json yarn.lock ./: Good! You're copying only the necessary files
for the yarn install command. This takes advantage of Docker's caching
mechanism and ensures faster builds if no dependencies change.
Recommendations: Consider using a non-root user even in the builder stage. Running as a non-root
user is a security best practice.
Nginx will run as root, which is not recommended in a container environment.
Examples include: Strict-Transport-Security, Content-Security-Policy,
X-Content-Type-Options, X-Frame-Options, etc