veza/veza-backend-api/Dockerfile

# Build stage
FROM golang:1.24-alpine AS builder

WORKDIR /app

# Install build dependencies
RUN apk add --no-cache git ca-certificates tzdata

# Copy go mod files first for better caching
COPY go.mod go.sum ./

# Download dependencies (this layer will be cached if go.mod/go.sum don't change)
RUN go mod download

# Copy source code
COPY . .

# Build the application
# Using CGO_ENABLED=0 for static binary and smaller size
# Using -ldflags to reduce binary size
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
    -a -installsuffix cgo \
    -ldflags="-w -s" \
    -o veza-api \
    ./cmd/api/main.go

# Runtime stage
FROM alpine:3.21

# Install runtime dependencies (clamav for virus scanning in v0.101)
RUN apk --no-cache add ca-certificates tzdata wget clamav

# Create non-root user for security
RUN addgroup -g 1001 -S app && \
    adduser -S app -u 1001 -G app

# Create app directory
WORKDIR /app

# Copy binary from builder
COPY --from=builder /app/veza-api /app/veza-api

# Copy docs directory if it exists (generated by swaggo)
COPY --from=builder /app/docs /app/docs

# Copy migrations if they exist
COPY --from=builder /app/migrations /app/migrations

# Change ownership to non-root user
RUN chown -R app:app /app

# Switch to non-root user
USER app

# Expose port
EXPOSE 18080

# Health check
# P3.2: Use /api/v1/health endpoint created in P1.6
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://localhost:18080/api/v1/health || exit 1

# Run the application
CMD ["./veza-api"]
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00			`# Build stage`
release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24 - ORDER BY dynamiques : whitelist explicite, fallback created_at DESC - Login/register soumis au rate limiter global - VERSION sync + check CI - Nettoyage références veza-chat-server - Go 1.24 partout (Dockerfile, workflows) - TODO/FIXME/HACK convertis en issues ou résolus 2026-02-27 08:43:25 +00:00			`FROM golang:1.24-alpine AS builder`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
			`WORKDIR /app`

			`# Install build dependencies`
			`RUN apk add --no-cache git ca-certificates tzdata`

			`# Copy go mod files first for better caching`
			`COPY go.mod go.sum ./`

			`# Download dependencies (this layer will be cached if go.mod/go.sum don't change)`
			`RUN go mod download`

			`# Copy source code`
			`COPY . .`

			`# Build the application`
			`# Using CGO_ENABLED=0 for static binary and smaller size`
			`# Using -ldflags to reduce binary size`
			`RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \`
			`-a -installsuffix cgo \`
			`-ldflags="-w -s" \`
			`-o veza-api \`
			`./cmd/api/main.go`

			`# Runtime stage`
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files CRITICAL fixes: - Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002) - IDOR on analytics endpoint — ownership check enforced (CRITICAL-003) - CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004) - Mass assignment on user self-update — strip privileged fields (CRITICAL-005) HIGH fixes: - Path traversal in marketplace upload — UUID filenames (HIGH-001) - IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002) - Popularity metrics (followers, likes) set to json:"-" (HIGH-003) - bcrypt cost hardened to 12 everywhere (HIGH-004) - Refresh token lock made mandatory (HIGH-005) - Stream token replay prevention with access_count (HIGH-006) - Subscription trial race condition fixed (HIGH-007) - License download expiration check (HIGH-008) - Webhook amount validation (HIGH-009) - pprof endpoint removed from production (HIGH-010) MEDIUM fixes: - WebSocket message size limit 64KB (MEDIUM-010) - HSTS header in nginx production (MEDIUM-001) - CORS origin restricted in nginx-rtmp (MEDIUM-002) - Docker alpine pinned to 3.21 (MEDIUM-003/004) - Redis authentication enforced (MEDIUM-005) - GDPR account deletion expanded (MEDIUM-006) - .gitignore hardened (MEDIUM-007) LOW/INFO fixes: - GitHub Actions SHA pinning on all workflows (LOW-001) - .env.example security documentation (INFO-001) - Production CORS set to HTTPS (LOW-002) All tests pass. Go and Rust compile clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-13 23:44:46 +00:00			`FROM alpine:3.21`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
chore(infra): add ClamAV to docker-compose for v0.101 2026-02-18 11:03:14 +00:00			`# Install runtime dependencies (clamav for virus scanning in v0.101)`
			`RUN apk --no-cache add ca-certificates tzdata wget clamav`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
			`# Create non-root user for security`
			`RUN addgroup -g 1001 -S app && \`
			`adduser -S app -u 1001 -G app`

			`# Create app directory`
			`WORKDIR /app`

			`# Copy binary from builder`
			`COPY --from=builder /app/veza-api /app/veza-api`

			`# Copy docs directory if it exists (generated by swaggo)`
			`COPY --from=builder /app/docs /app/docs`

			`# Copy migrations if they exist`
			`COPY --from=builder /app/migrations /app/migrations`

			`# Change ownership to non-root user`
			`RUN chown -R app:app /app`

			`# Switch to non-root user`
			`USER app`

			`# Expose port`
feat: backend, stream server & infra improvements Backend (Go): - Config: CORS, RabbitMQ, rate limit, main config updates - Routes: core, distribution, tracks routing changes - Middleware: rate limiter, endpoint limiter, response cache hardening - Handlers: distribution, search handler fixes - Workers: job worker improvements - Upload validator and logging config additions - New migrations: products, orders, performance indexes - Seed tooling and data Stream Server (Rust): - Audio processing, config, routes, simple stream server updates - Dockerfile improvements Infrastructure: - docker-compose.yml updates - nginx-rtmp config changes - Makefile improvements (config, dev, high, infra) - Root package.json and lock file updates - .env.example updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 10:36:06 +00:00			`EXPOSE 18080`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
			`# Health check`
fix(docker): update healthcheck to use /api/v1/health endpoint Updated Docker healthcheck to use the correct /api/v1/health endpoint created in P1.6 instead of the old /health endpoint. Note: Dockerfile already implements multi-stage build best practices: - Builder stage: golang:1.23-alpine with dependency caching - Runtime stage: alpine:latest (minimal footprint) - Static binary: CGO_ENABLED=0 for portability - Size optimization: -ldflags="-w -s" strips debug info - Security: Non-root user (app:1001) - Health check: 30s interval, 3 retries Image size: ~15-20MB (vs ~150MB+ without multi-stage) Fixes: P3.2 from audit AUDIT_TEMP_29_01_2026.md 2026-01-29 22:32:58 +00:00			`# P3.2: Use /api/v1/health endpoint created in P1.6`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00			`HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \`
feat: backend, stream server & infra improvements Backend (Go): - Config: CORS, RabbitMQ, rate limit, main config updates - Routes: core, distribution, tracks routing changes - Middleware: rate limiter, endpoint limiter, response cache hardening - Handlers: distribution, search handler fixes - Workers: job worker improvements - Upload validator and logging config additions - New migrations: products, orders, performance indexes - Seed tooling and data Stream Server (Rust): - Audio processing, config, routes, simple stream server updates - Dockerfile improvements Infrastructure: - docker-compose.yml updates - nginx-rtmp config changes - Makefile improvements (config, dev, high, infra) - Root package.json and lock file updates - .env.example updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 10:36:06 +00:00			`CMD wget --no-verbose --tries=1 --spider http://localhost:18080/api/v1/health \|\| exit 1`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
			`# Run the application`
			`CMD ["./veza-api"]`