Security checks

Dockerfile

@@ -1,35 +1,52 @@
-# Use Python 3.11 slim as base image
-FROM python:3.11-slim
+# Build stage
+FROM python:3.11-slim as builder
 
-# Set working directory
 WORKDIR /app
 
-# Install system dependencies
+# Install build dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     gcc \
     python3-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Create a virtual environment to isolate dependencies
-RUN python -m venv /opt/venv
-ENV PATH="/opt/venv/bin:$PATH"
+# Install Python packages
+COPY requirements.txt .
+RUN pip install --no-cache-dir --upgrade pip==24.3.1 setuptools==70.0.0 && \
+    pip install --no-cache-dir -r requirements.txt
 
-# Upgrade pip and setuptools in the virtual environment
-RUN pip install --no-cache-dir pip==24.3.1 setuptools==70.0.0
+# Final stage
+FROM python:3.11-slim
 
-# Copy requirements file
-COPY requirements.txt .
+WORKDIR /app
 
-# Install Python dependencies
-RUN pip install --no-cache-dir -r requirements.txt
+# Create non-root user
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+
+# Copy only the installed packages from builder
+COPY --from=builder /usr/local/lib/python3.11/site-packages/ /usr/local/lib/python3.11/site-packages/
+COPY --from=builder /usr/local/bin/ /usr/local/bin/
 
 # Copy application code
 COPY . .
 
-# Set environment variables
+# Set permissions
+RUN chown -R appuser:appuser /app
+
+# Set Python environment variables
 ENV PYTHONUNBUFFERED=1 \
-    PYTHONDONTWRITEBYTECODE=1
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONPATH=/app
+
+# Switch to non-root user
+USER appuser
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=5s \
+    CMD curl -f http://localhost:5001/health || exit 1
+
+# Expose port
+EXPOSE 5001
 
 # Run the application
 CMD ["gunicorn", "--bind", "0.0.0.0:5001", "--workers", "4", "api:app"]