ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-13 13:28:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
db6828ec28d53e7bd98c7efeecd0a7b285cb288e
prowler/mcp_server/Dockerfile
stepsecurity-app[bot] 716c130140 feat(security): security best practices from StepSecurity (#10480) 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
2026-03-26 13:58:19 +01:00

59 lines
2.4 KiB
Docker
Raw Blame History

# =============================================================================
# Build stage - Install dependencies and build the application
# =============================================================================
FROM ghcr.io/astral-sh/uv:python3.13-alpine@sha256:8f53782bb232ab0b5558f3071e86e2bbfde884e18815f2b19cc57f2d336e9ee2 AS builder
WORKDIR /app
# Performance optimizations for uv:
# UV_COMPILE_BYTECODE=1: Pre-compile Python files to .pyc for faster startup
# UV_LINK_MODE=copy: Use copy instead of symlinks to avoid potential issues
ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
# Install dependencies first for better Docker layer caching
# This allows dependency layer to be reused when only source code changes
COPY uv.lock pyproject.toml ./
RUN --mount=type=cache,target=/root/.cache/uv \
uv sync --frozen --no-install-project
# Copy all source code and install the project
# --frozen ensures reproducible builds by using exact versions from uv.lock
COPY . .
RUN --mount=type=cache,target=/root/.cache/uv \
uv sync --frozen
# =============================================================================
# Final stage - Minimal runtime environment
# =============================================================================
FROM python:3.13-alpine@sha256:bb1f2fdb1065c85468775c9d680dcd344f6442a2d1181ef7916b60a623f11d40
LABEL maintainer="https://github.com/prowler-cloud"
# Create non-root user for security
# Using specific UID/GID for consistency across environments
RUN addgroup -g 1001 prowler && \
adduser -D -u 1001 -G prowler prowler
WORKDIR /app
USER prowler
# Copy only the necessary files from builder stage to minimize image size:
# 1. Virtual environment with all dependencies and the installed package
COPY --from=builder --chown=prowler /app/.venv /app/.venv
# 2. Source code needed at runtime (for imports and module resolution)
COPY --from=builder --chown=prowler /app/prowler_mcp_server /app/prowler_mcp_server
# 3. Project metadata file (may be needed by some packages at runtime)
COPY --from=builder --chown=prowler /app/pyproject.toml /app/pyproject.toml
# 4. Entrypoint helper script for selecting runtime mode
COPY --from=builder --chown=prowler /app/entrypoint.sh /app/entrypoint.sh
# Add virtual environment to PATH so prowler-mcp command is available
ENV PATH="/app/.venv/bin:$PATH"
# Entrypoint wrapper defaults to CLI mode; override with `uvicorn` to run ASGI app
ENTRYPOINT ["/app/entrypoint.sh"]
CMD ["main"]
Reference in New Issue View Git Blame Copy Permalink