From dedc0303849397728c85406e24f4fa14f2f4c9cf Mon Sep 17 00:00:00 2001 From: Knee Cola Date: Mon, 17 Nov 2025 14:06:31 +0100 Subject: [PATCH] Replace Alpine with distroless image for production stage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Switch from node:24-alpine to gcr.io/distroless/nodejs20-debian12:nonroot for enhanced security and reduced attack surface. Distroless images contain only runtime dependencies without shell, package managers, or other utilities. Changes: - Use distroless nodejs20-debian12:nonroot base image - Remove manual user creation (use built-in nonroot user) - Remove RUN commands for directory creation (incompatible with distroless) - Update file ownership to nonroot:nonroot 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- Dockerfile | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index b33c234..617035c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,30 +27,22 @@ RUN npm run build #----------------------------------------- # STAGE 3: Run the Next.js server #----------------------------------------- -FROM base AS production +FROM gcr.io/distroless/nodejs20-debian12:nonroot AS production WORKDIR /app ENV NODE_ENV=production -RUN addgroup --system --gid 1001 nodejs -RUN adduser --system --uid 1001 nextjs - COPY --from=builder /app/public/* /app/public/ # this file is required for the pdfjs-dist package COPY --from=builder /app/node_modules/pdfjs-dist/build/pdf.worker.min.mjs /app/public/pdf.worker.min.mjs - -# Set the correct permission for prerender cache -RUN mkdir .next -RUN chown nextjs:nodejs .next - # Automatically leverage output traces to reduce image size # https://nextjs.org/docs/advanced-features/output-file-tracing -COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./ -COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static +COPY --from=builder --chown=nonroot:nonroot /app/.next/standalone ./ +COPY --from=builder --chown=nonroot:nonroot /app/.next/static ./.next/static -USER nextjs +USER nonroot EXPOSE 3000