From 322cd3baa25ad350e238bbc276a28ef606a5fec4 Mon Sep 17 00:00:00 2001
From: florian <flo@meergans.org>
Date: Mon, 3 Nov 2025 20:54:53 +0100
Subject: [PATCH] Hardened Dockerfile Switched to multi stage process to harden
 the Dockerfile

---
 Dockerfile | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c616a34..c627da7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,17 @@
-FROM python:3.12-slim
-
-RUN apt-get update && apt-get install -y git
-
+# Builder stage
+FROM python:3.12-slim AS builder
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends git build-essential \
+    && rm -rf /var/lib/apt/lists/*
+WORKDIR /install
 COPY requirements.txt .
-
-RUN pip install --no-cache-dir -r requirements.txt
-
+RUN pip install --prefix=/install --no-cache-dir -r requirements.txt
 WORKDIR /app
-
 COPY src/ /app/
 
-ENTRYPOINT ["python","main.py"]
-
-
+# Runtime image
+FROM nvcr.io/nvidia/distroless/python:3.12-v3.5.1
+COPY --from=builder /install /usr/local
+COPY --from=builder /app /app
+WORKDIR /app
+ENTRYPOINT ["python", "main.py"]