Replace Alpine with distroless image for production stage

Switch from node:24-alpine to gcr.io/distroless/nodejs20-debian12:nonroot for enhanced security and reduced attack surface. Distroless images contain only runtime dependencies without shell, package managers, or other utilities. Changes: - Use distroless nodejs20-debian12:nonroot base image - Remove manual user creation (use built-in nonroot user) - Remove RUN commands for directory creation (incompatible with distroless) - Update file ownership to nonroot:nonroot 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-17 14:06:31 +01:00
parent c005f4ca78
commit dedc030384
1 changed files with 4 additions and 12 deletions
--- a/16
+++ b/16
@@ -27,30 +27,22 @@ RUN npm run build
 #-----------------------------------------
 # STAGE 3: Run the Next.js server
 #-----------------------------------------
-FROM base AS production
+FROM gcr.io/distroless/nodejs20-debian12:nonroot AS production
 WORKDIR /app
 ENV NODE_ENV=production
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
 COPY --from=builder /app/public/* /app/public/
 # this file is required for the pdfjs-dist package
 COPY --from=builder /app/node_modules/pdfjs-dist/build/pdf.worker.min.mjs /app/public/pdf.worker.min.mjs
 # Set the correct permission for prerender cache
 RUN mkdir .next
 RUN chown nextjs:nodejs .next
 # Automatically leverage output traces to reduce image size
 # https://nextjs.org/docs/advanced-features/output-file-tracing
-COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nonroot:nonroot /app/.next/standalone ./
-COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+COPY --from=builder --chown=nonroot:nonroot /app/.next/static ./.next/static
-USER nextjs
+USER nonroot
 EXPOSE 3000