BretFisher
diff --git a/‎README.md‎
Lines changed: 53 additions & 38 deletions b/‎README.md‎
Lines changed: 53 additions & 38 deletions
diff --git a/‎docker-compose.yml‎ ‎compose.yaml‎docker-compose.yml renamed to compose.yaml
Lines changed: 14 additions & 4 deletions b/‎docker-compose.yml‎ ‎compose.yaml‎docker-compose.yml renamed to compose.yaml
Lines changed: 14 additions & 4 deletions
diff --git a/‎dockerfiles/1.Dockerfile‎
Lines changed: 10 additions & 11 deletions b/‎dockerfiles/1.Dockerfile‎
Lines changed: 10 additions & 11 deletions
diff --git a/‎dockerfiles/2.Dockerfile‎
Lines changed: 12 additions & 12 deletions b/‎dockerfiles/2.Dockerfile‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎dockerfiles/3.Dockerfile‎
Lines changed: 14 additions & 14 deletions b/‎dockerfiles/3.Dockerfile‎
Lines changed: 14 additions & 14 deletions
diff --git a/‎dockerfiles/4.Dockerfile‎
Lines changed: 0 additions & 43 deletions b/‎dockerfiles/4.Dockerfile‎
Lines changed: 0 additions & 43 deletions
diff --git a/‎dockerfiles/5.Dockerfile‎
Lines changed: 0 additions & 60 deletions b/‎dockerfiles/5.Dockerfile‎
Lines changed: 0 additions & 60 deletions
diff --git a/‎dockerfiles/distroless.Dockerfile‎
Lines changed: 5 additions & 10 deletions b/‎dockerfiles/distroless.Dockerfile‎
Lines changed: 5 additions & 10 deletions
diff --git a/‎dockerfiles/snyk.sh‎
Lines changed: 18 additions & 0 deletions b/‎dockerfiles/snyk.sh‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎dockerfiles/tags.txt‎
Lines changed: 14 additions & 0 deletions b/‎dockerfiles/tags.txt‎
Lines changed: 14 additions & 0 deletions
@@ -9,21 +9,31 @@
 services:
   node:
     build:
-      dockerfile: dockerfiles/5.Dockerfile
+      dockerfile: dockerfiles/3.Dockerfile
       context: .
       # build to the stage named dev
       target: dev
-    volumes:
-      - .:/app
+    # Not needed when `develop: watch` is used
+    # volumes:
+    #   - .:/app
     ports:
       # use docker compose ps to see which host port is used
       - "3000"
     depends_on:
       db:
         condition: service_healthy
+    develop:
+      watch:
+        - action: sync
+          path: ./
+          target: /app
+        - action: rebuild
+          path: package.json
+        - action: rebuild
+          path: package-lock.json
 
   db:
-    image: postgres
+    image: postgres:alpine
     environment:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
 
@@ -1,28 +1,27 @@
+# syntax=docker/dockerfile:1
+
 ###
-## Example: run as non-root user
+## Example: The most basic, CORRECT, Dockerfile for Node.js
 ###
 
 # alwyas use slim and the lastest debian distro offered
-FROM node:16-bullseye-slim
+FROM node:20-bookworm-slim@sha256:8d26608b65edb3b0a0e1958a0a5a45209524c4df54bbe21a4ca53548bc97a3a5
 
 EXPOSE 3000
 
-# change permissions to non-root user
-RUN mkdir /app && chown -R node:node /app
+# add user first, then set WORKDIR to set permissions
+USER node
 
 WORKDIR /app
 
-USER node
-
 # copy in with correct permissions. Using * prevents errors if file is missing
-COPY --chown=node:node package*.json yarn*.lock ./
+COPY --chown=node:node package*.json ./
 
 # use ci to only install packages from lock files
-# we don't have a dev image/stage yet (in future example)
-RUN npm ci --only=production && npm cache clean --force
+RUN npm ci --omit=dev && npm cache clean --force
 
 # copy files with correct permissions
 COPY --chown=node:node . .
 
-# we haven't fixed CMD yet (in future example)
-CMD ["npm", "start"]
+# change command to run node directly
+CMD ["node", "./bin/www"]
@@ -1,29 +1,29 @@
-FROM node:16-bullseye-slim
+# syntax=docker/dockerfile:1
+
 ###
 ## Example: run tini first, as PID 1
 ###
 
+FROM node:20-bookworm-slim@sha256:8d26608b65edb3b0a0e1958a0a5a45209524c4df54bbe21a4ca53548bc97a3a5
+
 # replace npm in CMD with tini for better kernel signal handling
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    tini \
-    && rm -rf /var/lib/apt/lists/*
+ENV NODE_ENV=production
+ENV TINI_VERSION=v0.19.0
+ADD --chmod=755 https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/local/bin/tini
+
 # set entrypoint to always run commands with tini
-ENTRYPOINT ["/usr/bin/tini", "--"]
+ENTRYPOINT ["/usr/local/bin/tini", "--"]
 
 EXPOSE 3000
 
-RUN mkdir /app && chown -R node:node /app
+USER node
 
 WORKDIR /app
 
-USER node
-
-COPY --chown=node:node package*.json yarn*.lock ./
+COPY --chown=node:node package*.json ./
 
-RUN npm ci --only=production && npm cache clean --force
+RUN npm ci --omit=dev && npm cache clean --force
 
 COPY --chown=node:node . .
 
-# change command to run node directly
 CMD ["node", "./bin/www"]
@@ -1,29 +1,29 @@
+# syntax=docker/dockerfile:1
+
 ###
 ## Adding stages for dev and prod
 ###
-FROM node:16-bullseye-slim as base
+
+FROM node:20-bookworm-slim@sha256:8d26608b65edb3b0a0e1958a0a5a45209524c4df54bbe21a4ca53548bc97a3a5 as base
 ENV NODE_ENV=production
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    tini \
-    && rm -rf /var/lib/apt/lists/*
+ENV TINI_VERSION=v0.19.0
+ADD --chmod=755 https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/local/bin/tini
 EXPOSE 3000
-RUN mkdir /app && chown -R node:node /app
-WORKDIR /app
 USER node
-COPY --chown=node:node package*.json yarn*.lock ./
-RUN npm ci --only=production && npm cache clean --force
-COPY --chown=node:node . .
-CMD ["node", "./bin/www"]
+WORKDIR /app
+COPY --chown=node:node package*.json ./
+RUN npm ci --omit=dev && npm cache clean --force
+ENV PATH=/app/node_modules/.bin:$PATH
 
 # dev stage
 FROM base as dev
 ENV NODE_ENV=development
-ENV PATH=/app/node_modules/.bin:$PATH
 RUN npm install
+COPY --chown=node:node . .
 CMD ["nodemon", "./bin/www", "--inspect=0.0.0.0:9229"]
 
 # prod stage
 FROM base as prod
-ENTRYPOINT ["/usr/bin/tini", "--"]
-CMD ["node", "./bin/www"]
+COPY --chown=node:node . .
+ENTRYPOINT ["/usr/local/bin/tini", "--"]
+CMD ["node", "./bin/www"]
@@ -1,8 +1,11 @@
+# syntax=docker/dockerfile:1
+
 ###
 ## Distroless in Prod. Multi-stage dev/test/prod with distroless
 ###
-FROM gcr.io/distroless/nodejs@sha256:794e26246770ff28d285d7f800ce1982883cf4105662845689efa33f04ec4340 as distroless
-FROM node:16-bullseye-slim as base
+
+FROM gcr.io/distroless/nodejs20-debian12:latest@sha256:6499c05db574451eeddda4d3ddb374ac1aba412d6b2f5d215cc5e23c40c0e4d3 as distroless
+FROM node:20-slim as base
 ENV NODE_ENV=production
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -24,14 +27,6 @@ CMD ["nodemon", "./bin/www", "--inspect=0.0.0.0:9229"]
 FROM base as source
 COPY --chown=node:node . .
 
-FROM source as test
-ENV NODE_ENV=development
-ENV PATH=/app/node_modules/.bin:$PATH
-COPY --from=dev /app/node_modules /app/node_modules
-RUN npx eslint .
-RUN npm test
-CMD ["npm", "run", "test"]
-
 # switch to distroless for prod
 # use version tags for always building with latest 
 #    (more risky for stability, but likely more secure)
 
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+echo "[" > summary.json
+for image in $(cat tags.txt); do
+  image_file=$(echo ${image} | tr '/' '-' | tr ':' '-')
+  tag=$(echo ${image} | cut -f 2 -d '/' | cut -f 2 -d ':')  
+  echo "Testing ${image}..."
+
+  if [[ "$1" == "--no-cache" || ! -f snyk.${image_file}.json ]]; then
+    DOCKER_CLI_HINTS=false docker pull ${image}
+    snyk container test ${image} --exclude-app-vulns --json-file-output=snyk.${image_file}.json --group-issues > snyk.${image_file}.log
+  fi
+  summary=$(jq -c '[ .vulnerabilities[].severity] | reduce .[] as $sev ({}; .[$sev] +=1) | { image: "'${image}'", low: (.low // 0), medium: (.medium // 0), high: (.high // 0), critical: (.critical // 0)} | .total = .low + .medium + .high + .critical ' snyk.${image_file}.json)
+  echo "  ${summary}," >> summary.json
+done
+echo "]" >> summary.json
+
+cat summary.json
@@ -0,0 +1,14 @@
+node:20
+node:20-slim
+node:20-alpine
+node:18
+node:18-slim
+node:18-alpine
+debian:12
+debian:12-slim
+ubuntu:22.04
+bretfisher/node:ubuntu-22.04-nodesource18
+bretfisher/node:ubuntu-22.04-nodesource20
+bretfisher/node:ubuntu-22.04-node20-copy
+gcr.io/distroless/nodejs20-debian12
+cgr.dev/chainguard/node:latest