Update Dockerfile for user ownership and fix node execution path

- Comment out the `USER ${USER}` line in Dockerfile to avoid potential issues with permissions. - Add `--chown=${USER}:${USER}` to `COPY` commands in Dockerfile to ensure files are owned by the specified user. - Change the `CMD` in Dockerfile to use the full path to `node` to fix the error `/bin/ash: node: not found`. - Add a FIXME comment in Dockerfile with a link to documentation for further troubleshooting of node issues. - Update README.md to include additional badges: - Docker Scout Report badge - Known Vulnerabilities badge - Docker Image Version badge - Docker Pulls badge - Update `docker-compose.yml` to use the new Docker image version `v1.7.1` for `rocket-alert` service.
DavidChevallier · Jun 20, 2024 · 80da78e · 80da78e
1 parent d46db20
commit 80da78e
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 8 deletions.
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,20 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout 🛎️
+        uses: actions/checkout@v2
+
+      - name: Install
+        run: npm install
+
+      - name: Run npm audit
+        run: npm audit --audit-level=high
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -0,0 +1,27 @@
+name: Snyk Security Scan
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run Snyk to check for vulnerabilities
+        run: snyk test
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -29,18 +29,19 @@ RUN mkdir -p /opt/app && \
     adduser -D ${USER} && \
     chown -R ${USER}:${USER} /opt/app
 
-USER ${USER}
+#USER ${USER}
 
-COPY --from=build /usr/local /usr/local
-COPY --from=build /usr/lib /usr/lib
-COPY --from=build /usr/bin/node /usr/bin/node
-COPY --from=build /usr/bin/npm /usr/bin/npm
+COPY --from=build --chown=${USER}:${USER} /usr/local /usr/local
+COPY --from=build --chown=${USER}:${USER} /usr/lib /usr/lib
+COPY --from=build --chown=${USER}:${USER} /usr/bin/node /usr/bin/node
+COPY --from=build --chown=${USER}:${USER} /usr/bin/npm /usr/bin/npm
 
 WORKDIR /opt/app
 COPY --from=build --chown=${USER}:${USER} /opt/app/build ./build
 COPY --from=build --chown=${USER}:${USER} /opt/app/node_modules ./node_modules
 COPY --from=build --chown=${USER}:${USER} /opt/app/package.json ./
 COPY --from=build --chown=${USER}:${USER} /opt/app/package-lock.json ./
 
-CMD ["npm", "start"]
+# FIXME: /bin/ash: node: not found - https://edu.chainguard.dev/chainguard/chainguard-images/getting-started/node/
+CMD ["/usr/bin/node", "npm", "start"]
 EXPOSE 3000
diff --git a/README.md b/README.md
@@ -1,7 +1,8 @@
 # Code Red Rocket Alerts :rocket:
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-![](https://github.com/ErezNagar/rocket-alert/actions/workflows/main.yml/badge.svg)
+![](https://github.com/ErezNagar/rocket-alert/actions/workflows/main.yml/badge.svg) [![Known Vulnerabilities](https://snyk.io/test/github/ErezNagar/rocket-alert/badge.svg)](https://snyk.io/test/github/ErezNagar/rocket-alert) ![Docker Image Version (latest by date)](https://img.shields.io/docker/v/dchevallier/rocket-alert?sort=date) ![Docker Pulls](https://img.shields.io/docker/pulls/dchevallier/rocket-alert)
+[![Docker Scout Report](https://img.shields.io/badge/Docker%20Scout-Report-blue)](https://scout.docker.com/reports/org/dchevallier/images/host/hub.docker.com/repo/dchevallier%2Frocket-alert)
 
 Real-time rocket alerts in Israel:
 http://rocketalert.live/

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -21,7 +21,7 @@ x-dns: &default-dns
 
 services:
   rocket-alert:
-    image: dchevallier/rocket-alert:v1.7.0
+    image: dchevallier/rocket-alert:v1.7.1
     container_name: rocket-alert
     restart: unless-stopped
     build: