layne/Dockerfile at develop · RocketChat/layne · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
FROM node:22-alpine AS deps

WORKDIR /app

COPY package*.json ./
RUN npm ci --omit=dev

FROM node:22-alpine AS build

WORKDIR /app

COPY package*.json ./
RUN npm ci
COPY tsconfig*.json ./
COPY src/ ./src/
RUN npm run build

FROM node:22-alpine AS runtime

# Pin tool versions for reproducible builds. Update periodically and verify in staging.
# trufflehog, semgrep, and osv-scanner are the external binaries Layne shells out to.
RUN apk add --no-cache \
    git \
    python3 \
    py3-pip \
    wget \
    ripgrep \
    && python3 -m pip install --break-system-packages semgrep==1.154.0 \
    && ARCH="$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" \
    && wget -qO- "https://github.com/trufflesecurity/trufflehog/releases/download/v3.93.7/trufflehog_3.93.7_linux_${ARCH}.tar.gz" \
       | tar -xz -C /usr/local/bin trufflehog \
    && chmod +x /usr/local/bin/trufflehog \
    && wget -qO /usr/local/bin/osv-scanner "https://github.com/google/osv-scanner/releases/download/v2.3.8/osv-scanner_linux_${ARCH}" \
    && chmod +x /usr/local/bin/osv-scanner

# Run as a non-root user so a compromised container cannot write to the host.
RUN addgroup -S layne && adduser -S layne -G layne

# Expose ripgrep at the path pi-coding-agent expects (~/.pi/agent/bin/rg).
RUN mkdir -p /home/layne/.pi/agent/bin \
    && ln -s /usr/bin/rg /home/layne/.pi/agent/bin/rg \
    && chown -R layne:layne /home/layne/.pi

WORKDIR /app

COPY --from=deps /app/node_modules ./node_modules
COPY --from=build /app/dist ./dist
COPY package*.json ./
COPY config/ ./config/
COPY assets/ ./assets/

# /tmp is where Layne clones repos. Declaring it as a VOLUME prevents Docker
# from persisting scan artifacts across container restarts.
VOLUME ["/tmp"]

USER layne

CMD ["node", "dist/server.js"]