Skip to content

chore: enhance Dockerfile security by adding non-root user and healthcheck#1345

Open
twangodev wants to merge 3 commits into
mainfrom
chore/dockerfile-security
Open

chore: enhance Dockerfile security by adding non-root user and healthcheck#1345
twangodev wants to merge 3 commits into
mainfrom
chore/dockerfile-security

Conversation

@twangodev

@twangodev twangodev commented Dec 11, 2025

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores
    • App now runs as a non-root user for improved runtime security.
    • Built assets and runtime files are created/installed with appropriate ownership for that user.
    • Added a periodic HTTP health check and installed a lightweight probe utility to monitor container responsiveness.
    • Increased Node memory limit during build to reduce out-of-memory issues; container still listens on port 3000.

✏️ Tip: You can customize this high-level summary in your review settings.

Copilot AI review requested due to automatic review settings December 11, 2025 08:58
@coderabbitai

coderabbitai Bot commented Dec 11, 2025

Copy link
Copy Markdown
Contributor

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

The Dockerfile was modified to run the app as a non-root user (svelte UID/GID 1001), copy build artifacts and node_modules with svelte ownership, install curl, add a curl-based HTTP HEALTHCHECK for http://localhost:3000/, set NODE_OPTIONS for increased max old space size, and keep port 3000 exposed.

Changes

Cohort / File(s) Summary
Docker runtime image
Dockerfile
Creates group and user svelte (GID 1001 / UID 1001); updates COPYs from builder to use --chown=svelte:svelte for build artifacts, node_modules, and package.json; installs curl; sets NODE_OPTIONS to increase max old space size; sets USER svelte; exposes port 3000; adds HEALTHCHECK using curl against http://localhost:3000/ (interval 30s, timeout 3s, start-period 5s).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 In a snug container burrow I tread,
Non-root hops keep the root fears shed.
Curl checks the pulse on port three thousand,
NODE_OPTIONS stretches memory unbounded.
A happy svelte rabbit—light, safe, and well-fed.

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main changes: adding a non-root user and healthcheck to the Dockerfile for security purposes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c249502 and ecea52c.

📒 Files selected for processing (1)
  • Dockerfile
🚧 Files skipped from review as they are similar to previous changes (1)
  • Dockerfile
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: build-web
  • GitHub Check: build-web
  • GitHub Check: Ruff Linting (generation)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the Dockerfile security by implementing two important improvements: running the Node.js application as a non-root user and adding a health check for container monitoring. While the security intent is solid, there are critical implementation issues that prevent the Dockerfile from building and functioning correctly.

  • Creates a dedicated non-root user (svelte) with UID/GID 1001 to run the application
  • Adds a HEALTHCHECK directive to monitor application availability at 30-second intervals

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Dockerfile Outdated
Comment thread Dockerfile Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6997d21 and c249502.

📒 Files selected for processing (1)
  • Dockerfile (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: build-web
  • GitHub Check: Agent
🔇 Additional comments (1)
Dockerfile (1)

20-28: ✓ Non-root user and ownership configuration looks good.

The user creation with specific UID/GID values and the proper ownership assignment via --chown flags are correctly implemented and follow Docker security best practices.

Comment thread Dockerfile Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants