Dockerfile: use gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22

[denisPust]

PR Type

Enhancement, Bug fix

---

Description

• Update base image to nginx 1.29.1

• Switch to upstream nginxinc unprivileged image

• Target Alpine 3.22 for security fixes

• Clarify stage as CVE-free in Dockerfile

---

Diagram Walkthrough

flowchart LR
  A["Dockerfile production stage"] -- "replace base image" --> B["gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22"]
  A -- "add CVE-free note" --> C["Comment update"]

Loading

File Walkthrough

	Relevant files
Enhancement	Dockerfile Upgrade production stage base image for security                  Dockerfile Replace base image with gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22 Update comment to mark stage as CVE-free Keep UID/GID alignment args intact +2/-2

---

[pull-request-agent]

PR Reviewer Guide 🔍

(Review updated until commit 69e956c)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Misleading Comment The comment claims the production stage is "CVE free," which can become inaccurate over time; prefer wording like "base image pinned; monitor for CVEs" to avoid a false sense of security. # production stage CVE free Base Image Compatibility Switching to nginx 1.29.1 on Alpine 3.22 may affect existing configs or modules; verify runtime compatibility with current nginx config and any modules/extensions used. FROM gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22 as production-stage

[pull-request-agent]

PR Code Suggestions ✨

Latest suggestions up to 69e956c

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Pin base image by digest Pin the base image by digest to prevent accidental updates and ensure reproducible builds. This avoids supply chain drift if the tag is retagged upstream. Dockerfile [36-37] # production stage CVE free -FROM gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22 as production-stage +FROM gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22@sha256:<put-verified-digest-here> as production-stage Suggestion importance[1-10]: 7 __ Why: Pinning the base image digest improves supply chain security and build reproducibility without changing functionality; the existing_code matches the new hunk and the improved_code accurately reflects the proposed change.	Medium

---

Previous suggestions

Suggestions up to commit 8d47e2d

Category	Suggestion	Impact
Possible issue	Pin base image by digest Pin the image by its immutable digest to prevent unexpected changes from the same tag causing breaks. Keep the tag for readability alongside the digest. Dockerfile [37] -FROM gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22 as production-stage +FROM gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22@sha256:<PUT_IMAGE_DIGEST_HERE> as production-stage Suggestion importance[1-10]: 7 __ Why: Pinning the base image by digest improves build reproducibility and supply-chain security without altering behavior; it’s accurate for the updated FROM line and low-risk but not critical.	Medium

Suggestions up to commit 8d47e2d

Category	Suggestion	Impact
Security	Pin base image by digest Pin the base image by digest to avoid unexpected changes from future tag retags, which can break builds or introduce vulnerabilities. Use the image's immutable SHA256 digest along with the tag. Dockerfile [37] -FROM gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22 as production-stage +FROM gcr.io/nginxinc/nginx-unprivileged:1.29.1-alpine3.22@sha256:<PINNED_DIGEST> as production-stage Suggestion importance[1-10]: 7 __ Why: Pinning the base image digest improves supply-chain security and build reproducibility without changing functionality; it's accurate for the updated FROM line and low-risk but not critical.	Medium

[pull-request-agent]

Persistent review updated to latest commit 8d47e2d

[pull-request-agent]

Persistent review updated to latest commit 69e956c