Skip to content

DevSecOps overhaul #693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 14 commits into
base: development
Choose a base branch
from
Open

Conversation

UndyingSoul
Copy link
Contributor

@UndyingSoul UndyingSoul commented Jun 23, 2025

Huge update to docker images and docker compose files. The main point is greater security and efficiency.

Docker Images:

  • By combining as many commands as I could think of, the number of layers have decreased significantly, thus, shrinking the build size.
  • By utilizing multi-stage builds, the final, published size is reduced significantly to be just the size of the final stage.
  • By changing the base image of the backend to alpine, and the frontend to be distroless, the base-image size has been decreased while the security of the image is increased (especially with the distroless container where there's not even a shell installed)
  • Added healthchecking, so the containers return whether or not they're healthy. This isn't part of the OCI standard, but is supported by docker, and ignored otherwise.
  • I also noticed there was some image labels that weren't properly generated, looking at you org.opencontainers.image.created. This has been fixed.
  • Removed frontend startup entrypoint in favor of running the frontend directly, as shells are unavailable in distroless.
  • Instead of running the backend with the root user, I've created an adventurelog with uid 349. If you're wondering the significance of 349. the USA has 154 national forests + 64 national parks +131 national monuments = 349.
  • All this work results in a new image size that's roughly 1/2 the size of the original (before this merge). Disclaimer: These sizes are approximate, and done while I was still testing.
--- Backend ---
IMAGE                                             SIZE
ghcr.io/seanmorley15/adventurelog-backend:new     536MB
ghcr.io/seanmorley15/adventurelog-backend:latest  1.35GB

--- Frontend ---
IMAGE                                              SIZE
ghcr.io/seanmorley15/adventurelog-frontend:new     233MB
ghcr.io/seanmorley15/adventurelog-frontend:latest  451MB

Docker Compose files

  • Better organization docker-compose files, increasing simplicity.
  • Modified each compose file to adhere to the OCI standard, which means it'll now work with podman out of the box, and not just docker.
  • Additional documentation in the docker-compose files so it's quicker/easier to configure.
  • Specifying registry in images, so some configurations where the default registry is overridden will still be able to pull the image.

CI/CD GitHub workflows

  • For your security, I recommend reviewing any code that changes your github actions, including this one.
  • Streamlined the build process to include more variables in the image labels, and condensing steps for setting environment variables.
  • Made the docker build command much more readable/maintainable.
  • Using GITHUB_OUTPUT instead of GITHUB_ENV for a bit better dynamic usability.
  • Added BUILD_DATE and GIT_SHA labels for quick reference.

Quality of Life Changes and refactors

  • Normalized the usage of PG_USER and POSTGRES_USER and similar environment variables
  • Normalized the suggested defaults of the POSTGRES_USER and POSTGRES_DB environment variables to both be 'adventurelog'

TODO

  • Refactor configure_environment() in install_adventurelog.sh to account for updated docker-compose file. Providing options for environment file, or just using sed to edit the docker-compose file directly.
  • Refactor the backend so that we can make it more secure by getting secrets from a file such as the SECRET_KEY and POSTGRES_DB. could do this in the entrypoint.sh script.
  • Check the kustomization.yml to make sure it's actually correct.
  • Would like to get container vulnerability scanning part of the pipeline Edit: Seems to already bee part of this repo, nice.
  • Would like to publish at least an initial trivy scan of thse newer containers to ensure all the risks have been addressed/mitigated. Edit: Seems to already bee part of this repo, nice.

seanmorley15 and others added 8 commits June 16, 2025 18:19
fix(integration): update image entry retrieval to handle multiple col…
Fixed frontend returning corrupt binary data
fix(adventure): add collection ID to adventure when creating a new ad…
feat: add CollectionAllView component for unified display of adventur…
Date and Timezone fixes (lots of them!!)
organized docker-compose files
updated pipelines to fix created date
using nonroot user in runtime environment
synced .env.example and docker compose file
normalized usage of PG variables
Copy link

vercel bot commented Jun 23, 2025

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
adventurelog ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jul 21, 2025 4:10am

@seanmorley15 seanmorley15 changed the base branch from main to development June 23, 2025 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants