fabd397478
All checks were successful
CI / Check (pull_request) Successful in 10m4s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Bug fixes:
1. CVE notifications now created during scan pipeline (not just hourly)
- Previously, notifications were only created by the scheduled
monitor_cves job. Users with 4 CVE alerts saw 0 notifications.
- Now the scan pipeline (Stage 3) creates notifications immediately
when CVE alerts are discovered, with the same dedup logic.
2. Help chat doc context loading fixed for Docker/production
- Added HELP_DOCS_PATH env var for explicit doc root configuration
- Added fallback chain: env var → binary location → cwd → Docker paths
- Dockerfile.agent now copies README.md and docs/ into /app and sets
HELP_DOCS_PATH=/app so the help chat has doc context in production
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
47 lines
1.7 KiB
Docker
47 lines
1.7 KiB
Docker
FROM rust:1.94-bookworm AS builder
|
|
|
|
WORKDIR /app
|
|
COPY . .
|
|
RUN cargo build --release -p compliance-agent
|
|
|
|
FROM debian:bookworm-slim
|
|
RUN apt-get update && apt-get install -y ca-certificates libssl3 git curl python3 python3-pip npm golang-go php-cli && rm -rf /var/lib/apt/lists/*
|
|
|
|
# Install Cargo (minimal, for cargo metadata / cargo audit / generate-lockfile)
|
|
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
|
|
ENV PATH="/root/.cargo/bin:${PATH}"
|
|
RUN cargo install cargo-audit
|
|
|
|
# Install Composer for PHP dependency resolution
|
|
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
|
|
|
|
# Install Bundler for Ruby dependency resolution
|
|
RUN apt-get update && apt-get install -y ruby && rm -rf /var/lib/apt/lists/* && gem install bundler
|
|
|
|
# Install syft for SBOM generation
|
|
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
# Install gitleaks for secret detection
|
|
RUN curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
|
|
| tar -xz -C /usr/local/bin gitleaks
|
|
|
|
# Install semgrep for static analysis
|
|
RUN pip3 install --break-system-packages semgrep
|
|
|
|
# Install ruff for Python linting
|
|
RUN pip3 install --break-system-packages ruff
|
|
|
|
COPY --from=builder /app/target/release/compliance-agent /usr/local/bin/compliance-agent
|
|
|
|
# Copy documentation for the help chat assistant
|
|
COPY --from=builder /app/README.md /app/README.md
|
|
COPY --from=builder /app/docs /app/docs
|
|
ENV HELP_DOCS_PATH=/app
|
|
|
|
# Ensure SSH key directory exists
|
|
RUN mkdir -p /data/compliance-scanner/ssh
|
|
|
|
EXPOSE 3001 3002
|
|
|
|
ENTRYPOINT ["compliance-agent"]
|