Dev

.dockerignore

@@ -0,0 +1,63 @@
+# Version control
+.git
+.gitignore
+
+# Documentation
+README.md
+*.md
+
+# IDE and editor files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Virtual environments
+venv/
+env/
+ENV/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# Logs
+*.log
+
+# Temporary files
+*.tmp
+*.temp

.gitignore

@@ -0,0 +1,4 @@
+# Trivy security scanner files
+.trivy/
+trivy.yaml
+reports/

.trivyignore

@@ -0,0 +1,38 @@
+# Trivy ignore file
+# Format: https://aquasecurity.github.io/trivy/latest/docs/vulnerability/examples/filter/
+
+# Ignore test files and development dependencies
+**/test/**
+**/tests/**
+**/*test*
+**/node_modules/**
+**/.git/**
+**/.pytest_cache/**
+**/__pycache__/**
+
+# Ignore specific low-impact vulnerabilities (example)
+# CVE-2023-xxxxx
+
+# Ignore base image vulnerabilities that cannot be fixed
+# debian:bookworm-slim known issues
+# CVE-2024-xxxxx
+
+# Ignore supervisor-related root user requirement  
+AVD-DS-0002
+
+# Ignore documentation and example files
+**/docs/**
+**/examples/**
+**/*.md
+**/*.txt
+LICENSE
+README*
+
+# Ignore static assets
+**/static/**
+**/assets/**
+**/*.css
+**/*.js
+**/*.png
+**/*.jpg
+**/*.gif

Dockerfile

@@ -1,25 +1,42 @@
-FROM debian:stretch-slim
+FROM debian:bookworm-slim
 
-MAINTAINER Phillip Bailey <phillip@bailey.st>
+LABEL maintainer="Phillip Bailey"
 
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get dist-upgrade && apt-get install -y \
-    python-pip python-dev uwsgi-plugin-python \
-    nginx supervisor
+RUN apt-get update && apt-get dist-upgrade -y && apt-get install -y --no-install-recommends \
+    python3-dev build-essential gcc \
+    nginx supervisor curl ca-certificates \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install uv
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+
+# Create non-root user and add to www-data group
+RUN groupadd -r appuser && useradd -r -g appuser appuser \
+    && usermod -a -G www-data appuser
 
 COPY nginx/flask.conf /etc/nginx/sites-available/
 COPY supervisor/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
 COPY app /var/www/app
 
-RUN mkdir -p /var/log/nginx/app /var/log/uwsgi/app /var/log/supervisor \
+RUN mkdir -p /var/log/nginx/app /var/log/supervisor \
     && rm /etc/nginx/sites-enabled/default \
     && ln -s /etc/nginx/sites-available/flask.conf /etc/nginx/sites-enabled/flask.conf \
     && echo "daemon off;" >> /etc/nginx/nginx.conf \
-    &&  pip install -r /var/www/app/requirements.txt \
-    && chown -R www-data:www-data /var/www/app \
-    && chown -R www-data:www-data /var/log
+    && sed -i 's|pid /run/nginx.pid;|pid /var/run/nginx.pid;|' /etc/nginx/nginx.conf \
+    && uv pip install --system --no-cache --break-system-packages -r /var/www/app/requirements.txt \
+    && chown -R appuser:appuser /var/www/app \
+    && chown -R appuser:appuser /var/log \
+    && chown -R appuser:appuser /var/run
+
+EXPOSE 8080
 
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:8080/ || exit 1
 
-CMD ["/usr/bin/supervisord"]
+# Run as non-root user for security (nginx can now bind to non-privileged port 8080)
+USER appuser
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]