Commit 7be72e4
fix: upgrade OS packages in runtime stage to pick up Alpine security patches (#17)
The runtime stage only installed packages with `apk add --no-cache` and never
ran `apk upgrade`, so already-present base-image packages were patched only when
the Alpine base tag was bumped (via Renovate). Between bumps the shipped image
could carry OS packages with known CVEs even though fixed versions were already
available in the Alpine repository, surfacing as Trivy HIGH/CRITICAL findings.
Add `apk upgrade --no-cache` to the runtime stage so the final image picks up
Alpine security patches at build time. The builder stages are throwaway and do
not affect the shipped image's CVE surface, so they are left unchanged.
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>1 parent cca31e6 commit 7be72e4
2 files changed
Lines changed: 3 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
69 | 69 | | |
70 | 70 | | |
71 | 71 | | |
72 | | - | |
| 72 | + | |
73 | 73 | | |
74 | 74 | | |
75 | 75 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
69 | 69 | | |
70 | 70 | | |
71 | 71 | | |
72 | | - | |
| 72 | + | |
| 73 | + | |
73 | 74 | | |
74 | 75 | | |
75 | 76 | | |
| |||
0 commit comments