|
|
|
|
|
|
by czbond
276 days ago
|
|
|
I have come to using a multi stage Docker build. One to install dependencies and build whatever it is. I then might have a second clean docker image where the dependencies are copied to and run. This helps with localized risk, and some production risk - but not all of it. NPM packages have become a huge nuisance security wise. |
|
|
This is another huge pet peeve of mine is how hard it is to have a good container pipeline to build containers without running root - we tried some of the alternatives but they all had drawbacks - easiest is to just use GitHub Ubuntu images and hope for the best (although I recently saw some improvement in this area we want to investigate)