Hardening (#30)

* set build-argument for environment

* hardening remove dangerous commands

* add hardening scripts for base and final image

app/Dockerfile

@@ -7,8 +7,11 @@ ARG GID=1000
 FROM python:3.12-alpine AS base
 USER root
 
+COPY --chmod=0700 ./hardening_base.sh .
 RUN apk upgrade --no-cache && \
-    apk add --no-cache su-exec	
+    apk add --no-cache su-exec	&& \
+    ./hardening_base.sh && \
+    rm ./hardening_base.sh
 
 #
 # second stage for building wheels packages
@@ -29,29 +32,32 @@ ARG VERSION
 ARG UID
 ARG GID
 ARG LOG_LVL
+ARG environment
 
 ENV VERSION=$VERSION
 ENV SERVICE_NAME=$SERVICE_NAME
 ENV UID=$UID
 ENV GID=$GID 
 ENV LOG_LVL=$LOG_LVL
+ENV HOME=/home/$SERVICE_NAME
 
     
 # set the working directory in the container
 WORKDIR /home/$SERVICE_NAME
 
-# update PATH environment variable
-ENV HOME=/home/$SERVICE_NAME
-
 VOLUME ["/home/$SERVICE_NAME/log", "/home/$SERVICE_NAME/config"]
 
 # install the requirements from the wheels packages from the builder stage 
 # and unistall python packages and alpine package manger to reduce attack surface
 COPY --from=builder /root/wheels /root/wheels
+COPY --chmod=0700 ./hardening_final.sh .
 RUN python -m pip install --no-cache --no-index /root/wheels/* && \
     rm -rf /root/wheels && \
     python -m pip uninstall --yes setuptools wheel pip && \
-    apk --purge del apk-tools
+    apk --purge del apk-tools && \
+    ./hardening_final.sh && \
+    rm ./hardening_final.sh
+
 
 # copy the content of the local src and config directory to the working directory
 COPY --chmod=0700 entrypoint.sh /root/entrypoint.sh