Install security updates to nginx:mainline-alpine-slim base image in Dockerfile

[Copilot]

Overview

This PR adds security update installation to the nginx:mainline-alpine-slim base image used in the production stage of the Dockerfile.

Changes

Added commands to update the package index and upgrade all packages after the FROM nginx:mainline-alpine-slim AS production statement to ensure all available security updates are installed during the Docker image build process.

# Stage 4: Production
FROM nginx:mainline-alpine-slim AS production

# Install security updates
RUN apk update \
    && apk upgrade --no-cache --available

# Copy nginx configuration and build application inside the final container
COPY --from=builder /app/docker/nginx.conf /etc/nginx/conf.d/default.conf
COPY --from=builder /app/dist/angular-frontend /usr/share/nginx/html

Why This Change

• Security: Ensures the production image includes the latest security patches for all installed Alpine packages
• Best Practice: Following Docker and Alpine Linux best practices for maintaining secure container images
• Minimal Impact: The --no-cache flag prevents caching the package index, keeping the final image size minimal while ensuring fresh package information is fetched during each build

Technical Details

• Package Manager: Alpine Linux uses apk as its package manager
• Commands:
  • apk update refreshes the package index to get the latest package information
  • apk upgrade --no-cache --available updates all installed packages to their latest available versions
• Flags:
  • --no-cache prevents storing the package index locally, reducing image size
  • --available ensures packages are upgraded to the latest versions available in the repository
• Placement: The commands are executed immediately after the base image is pulled, following standard security hardening practices

Note on Alpine Security Updates: Alpine Linux does not have a direct equivalent to Debian's debscan tool for selective security-only updates. The apk upgrade --available command is the recommended approach for applying security updates in Alpine-based containers, as it ensures all packages are updated to their latest versions which include security patches.

This change ensures that any security vulnerabilities present in the base nginx:mainline-alpine-slim image packages are patched during the build process.

Original prompt

On Dockerfile, install possible security updates to nginx:mainline-alpine-slim base image on Dockerfile

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[tarlepp]

@copilot - could we use debscan so that we only upgrade those packages that have security issues, I've done that on another repository like:

# Install security updates
RUN apt-get update \
    && apt-get install -y \
        debsecan \
    && apt-get install --no-install-recommends -y \
        $(debsecan --suite bookworm --format packages --only-fixed) \
    && rm -rf /var/lib/apt/lists/*

But that won't work within this repository, so give it a try.

[Copilot]

@copilot - could we use debscan so that we only upgrade those packages that have security issues, I've done that on another repository like:

# Install security updates

...

Alpine Linux doesn't have a direct equivalent to debscan for selective security updates. The standard approach for Alpine is apk upgrade --available, which upgrades all packages to their latest versions.

I've updated the command to include apk update before the upgrade and added the --available flag for more comprehensive updates in commit cc1c816.

The current implementation:

RUN apk update \
    && apk upgrade --no-cache --available

This is the recommended best practice for security updates in Alpine-based containers, as Alpine doesn't provide package-level security advisory filtering like Debian's debscan.