ci: satisfy trivy dockerfile checks

Run runtime images as the built-in non-root .NET app user and install Web runtime OS dependencies with --no-install-recommends.
2026-05-12 12:31:20 +03:00
parent 105a051c2f
commit e3fdac15b5
2 changed files with 4 additions and 1 deletions
@@ -33,5 +33,7 @@ WORKDIR /app
 # Копируем только AOT-результаты из билда
 COPY --from=build /app/publish .

+USER $APP_UID
+
 # Запуск скомпилированного AOT бинарного файла напрямую
 ENTRYPOINT ["./GmRelay.Bot"]
@@ -18,8 +18,9 @@ RUN dotnet publish "GmRelay.Web.csproj" -c Release -o /app/publish /p:UseAppHost
 # Stage 2: Runtime
 FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble AS final
 WORKDIR /app
-RUN apt-get update && apt-get install -y libgssapi-krb5-2 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends libgssapi-krb5-2 && rm -rf /var/lib/apt/lists/*
 COPY --from=build /app/publish .
 ENV ASPNETCORE_URLS=http://+:8080
 EXPOSE 8080
+USER $APP_UID
 ENTRYPOINT ["dotnet", "GmRelay.Web.dll"]