From be812ec3ad6059afd63ec383e23e9845364fa03f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 2 Oct 2025 13:55:23 +0000
Subject: [PATCH 1/4] Initial plan


From e44919607736c38d8ae6820be9f3eaddf26d3d3e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 2 Oct 2025 14:05:42 +0000
Subject: [PATCH 2/4] Add security updates to nginx:mainline-alpine-slim base
 image

Co-authored-by: tarlepp <595561+tarlepp@users.noreply.github.com>
---
 Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1731d4de..1a493a45 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -105,6 +105,9 @@ RUN yarn build-prod
 # Stage 4: Production
 FROM nginx:mainline-alpine-slim AS production
 
+# Install security updates
+RUN apk upgrade --no-cache
+
 # Copy nginx configuration and build application inside the final container
 COPY --from=builder /app/docker/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/dist/angular-frontend /usr/share/nginx/html

From cc1c8167220724ea336a9fc69353f10cb3fd53ae Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 2 Oct 2025 14:16:57 +0000
Subject: [PATCH 3/4] Update Alpine security updates to include apk update and
 --available flag

Co-authored-by: tarlepp <595561+tarlepp@users.noreply.github.com>
---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 1a493a45..2128e37c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -106,7 +106,8 @@ RUN yarn build-prod
 FROM nginx:mainline-alpine-slim AS production
 
 # Install security updates
-RUN apk upgrade --no-cache
+RUN apk update \
+    && apk upgrade --no-cache --available
 
 # Copy nginx configuration and build application inside the final container
 COPY --from=builder /app/docker/nginx.conf /etc/nginx/conf.d/default.conf

From 3d4f871d25bab1bd1cc1c8eaedf26a26f077d8eb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 4 Nov 2025 17:32:13 +0000
Subject: [PATCH 4/4] Switch to Debian-based nginx:1.29.1-bookworm with debscan
 for security updates

Co-authored-by: tarlepp <595561+tarlepp@users.noreply.github.com>
---
 Dockerfile | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2128e37c..d2ab0032 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -103,11 +103,15 @@ COPY . .
 RUN yarn build-prod
 
 # Stage 4: Production
-FROM nginx:mainline-alpine-slim AS production
+FROM nginx:1.29.1-bookworm AS production
 
 # Install security updates
-RUN apk update \
-    && apk upgrade --no-cache --available
+RUN apt-get update \
+    && apt-get install -y \
+        debsecan \
+    && apt-get install --no-install-recommends -y \
+        $(debsecan --suite bookworm --format packages --only-fixed) \
+    && rm -rf /var/lib/apt/lists/*
 
 # Copy nginx configuration and build application inside the final container
 COPY --from=builder /app/docker/nginx.conf /etc/nginx/conf.d/default.conf