b7d21daa24
All checks were successful
CI / test-bqas (push) Successful in 32s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 46s
CI / test-python-voice (push) Successful in 38s
- Install Gitleaks, Trivy, Grype, Syft, Semgrep, Bandit in backend-core Dockerfile - Add Woodpecker SQLite proxy API (fallback without API token) - Mount woodpecker_data volume read-only to backend-core - Add backend proxy fallback in admin-core Woodpecker route - Add Vault file-based persistent storage (config.hcl, init-vault.sh) - Auto-init, unseal and root-token persistence for Vault - Add 6 pitch-deck annex slides (Assumptions, Architecture, GTM, Regulatory, Engineering, AI Pipeline) - Dynamic margin/amortization KPIs in BusinessModelSlide - Market sources modal with citations in MarketSlide - Redesign nginx landing page to 3-column layout (Lehrer/Compliance/Core) - Extend MkDocs nav with Services and SDK documentation sections - Add SDK Protection architecture doc Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
84 lines
2.7 KiB
Docker
84 lines
2.7 KiB
Docker
# ============================================================
|
|
# BreakPilot Core Backend -- Multi-stage Docker build
|
|
# ============================================================
|
|
|
|
# ---------- Build stage ----------
|
|
FROM python:3.12-slim-bookworm AS builder
|
|
|
|
WORKDIR /app
|
|
|
|
# Build-time system libs (needed for asyncpg / psycopg2)
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
build-essential \
|
|
libpq-dev \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
COPY requirements.txt .
|
|
|
|
RUN python -m venv /opt/venv
|
|
ENV PATH="/opt/venv/bin:$PATH"
|
|
RUN pip install --no-cache-dir --upgrade pip && \
|
|
pip install --no-cache-dir -r requirements.txt && \
|
|
pip install --no-cache-dir semgrep bandit
|
|
|
|
# ---------- Runtime stage ----------
|
|
FROM python:3.12-slim-bookworm
|
|
|
|
WORKDIR /app
|
|
|
|
# Runtime system libs
|
|
# - libpango / libgdk-pixbuf / shared-mime-info -> WeasyPrint (pdf_service)
|
|
# - libgl1 / libglib2.0-0 -> OpenCV (file_processor)
|
|
# - curl -> healthcheck
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
libpango-1.0-0 \
|
|
libpangocairo-1.0-0 \
|
|
libgdk-pixbuf-2.0-0 \
|
|
libffi-dev \
|
|
shared-mime-info \
|
|
libgl1 \
|
|
libglib2.0-0 \
|
|
curl \
|
|
git \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Install DevSecOps tools (gitleaks, trivy, grype, syft)
|
|
ARG TARGETARCH=arm64
|
|
RUN set -eux; \
|
|
# Gitleaks
|
|
GITLEAKS_VERSION=8.21.2; \
|
|
if [ "$TARGETARCH" = "arm64" ]; then GITLEAKS_ARCH=arm64; else GITLEAKS_ARCH=x64; fi; \
|
|
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${GITLEAKS_ARCH}.tar.gz" \
|
|
| tar xz -C /usr/local/bin gitleaks; \
|
|
# Trivy
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin; \
|
|
# Grype
|
|
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin; \
|
|
# Syft
|
|
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin; \
|
|
# Verify
|
|
gitleaks version && trivy --version && grype version && syft version
|
|
|
|
# Copy virtualenv from builder
|
|
COPY --from=builder /opt/venv /opt/venv
|
|
ENV PATH="/opt/venv/bin:$PATH"
|
|
|
|
# Non-root user
|
|
RUN useradd --create-home --shell /bin/bash appuser
|
|
|
|
# Copy application code
|
|
COPY --chown=appuser:appuser . .
|
|
|
|
USER appuser
|
|
|
|
# Python tweaks
|
|
ENV PYTHONUNBUFFERED=1
|
|
ENV PYTHONDONTWRITEBYTECODE=1
|
|
|
|
EXPOSE 8000
|
|
|
|
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
|
CMD curl -f http://127.0.0.1:8000/health || exit 1
|
|
|
|
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
|