Tech Story: Harden Dockerfiles for production

[GitAddRemote]

Tech Story

As a platform engineer, I want production Docker images to be lean, reproducible, and secure so that deployed containers have minimal attack surface and known-good dependency trees.

Context

Current Dockerfiles have several issues identified in audit:

• Node.js 14 (EOL April 2023 — no security patches)
• No multi-stage build — devDependencies shipped in production image
• npm install instead of npm ci — non-reproducible builds
• Backend CMD runs start:dev (file-watch dev server) in production
• COPY . . may copy .env files into the image
• No non-root user — any RCE gains full container root
• No HEALTHCHECK instruction
• EXPOSE port mismatch with actual runtime port

Acceptance Criteria

• Both images use Node.js 22 LTS (Alpine)
• Multi-stage build: builder installs all deps + compiles; runner installs prod-only deps + copies dist/
• npm ci used in both stages for reproducible installs
• Backend CMD runs node dist/main.js (or start:prod)
• .dockerignore present for both packages, excluding .env, .git, node_modules, test files, coverage
• Non-root user created and switched to before CMD
• HEALTHCHECK instruction added (backend: GET /health; frontend: HTTP check on served port)
• EXPOSE port matches actual runtime port from env
• Frontend serves static build via nginx:alpine (not serve or vite preview)

Notes

• A GET /health endpoint should be added to the backend (simple 200 OK) if it doesn't already exist
• Frontend nginx config should proxy /api to the backend service (useful for k8s ingress)