DevSecOps overhaul

[UndyingSoul]

Huge update to docker images and docker compose files. The main point is greater security and efficiency.

Docker Images:

• By combining as many commands as I could think of, the number of layers have decreased significantly, thus, shrinking the build size.
• By utilizing multi-stage builds, the final, published size is reduced significantly to be just the size of the final stage.
• By changing the base image of the backend to alpine, and the frontend to be distroless, the base-image size has been decreased while the security of the image is increased (especially with the distroless container where there's not even a shell installed)
• Added healthchecking, so the containers return whether or not they're healthy. This isn't part of the OCI standard, but is supported by docker, and ignored otherwise.
• I also noticed there was some image labels that weren't properly generated, looking at you org.opencontainers.image.created. This has been fixed.
• Removed frontend startup entrypoint in favor of running the frontend directly, as shells are unavailable in distroless.
• Instead of running the backend with the root user, I've created an adventurelog with uid 349. If you're wondering the significance of 349. the USA has 154 national forests + 64 national parks +131 national monuments = 349.
• All this work results in a new image size that's roughly 1/2 the size of the original (before this merge). Disclaimer: These sizes are approximate, and done while I was still testing.

--- Backend ---
IMAGE                                             SIZE
ghcr.io/seanmorley15/adventurelog-backend:new     536MB
ghcr.io/seanmorley15/adventurelog-backend:latest  1.35GB

--- Frontend ---
IMAGE                                              SIZE
ghcr.io/seanmorley15/adventurelog-frontend:new     233MB
ghcr.io/seanmorley15/adventurelog-frontend:latest  451MB

Docker Compose files

• Better organization docker-compose files, increasing simplicity.
• Modified each compose file to adhere to the OCI standard, which means it'll now work with podman out of the box, and not just docker.
• Additional documentation in the docker-compose files so it's quicker/easier to configure.
• Specifying registry in images, so some configurations where the default registry is overridden will still be able to pull the image.

CI/CD GitHub workflows

• For your security, I recommend reviewing any code that changes your github actions, including this one.
• Streamlined the build process to include more variables in the image labels, and condensing steps for setting environment variables.
• Made the docker build command much more readable/maintainable.
• Using GITHUB_OUTPUT instead of GITHUB_ENV for a bit better dynamic usability.
• Added BUILD_DATE and GIT_SHA labels for quick reference.

Quality of Life Changes and refactors

• Normalized the usage of PG_USER and POSTGRES_USER and similar environment variables
• Normalized the suggested defaults of the POSTGRES_USER and POSTGRES_DB environment variables to both be 'adventurelog'

TODO

• Refactor configure_environment() in install_adventurelog.sh to account for updated docker-compose file. Providing options for environment file, or just using sed to edit the docker-compose file directly.
• Refactor the backend so that we can make it more secure by getting secrets from a file such as the SECRET_KEY and POSTGRES_DB. could do this in the entrypoint.sh script.
• Check the kustomization.yml to make sure it's actually correct.
• Would like to get container vulnerability scanning part of the pipeline Edit: Seems to already bee part of this repo, nice.
• Would like to publish at least an initial trivy scan of thse newer containers to ensure all the risks have been addressed/mitigated. Edit: Seems to already bee part of this repo, nice.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
adventurelog	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 21, 2025 4:10am