You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 lines
1.2 KiB
33 lines
1.2 KiB
FROM golang:1.25-bookworm AS builder
|
|
|
|
WORKDIR /src
|
|
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
COPY . .
|
|
RUN CGO_ENABLED=0 go build -o /cammonitor ./cmd/server
|
|
|
|
FROM debian:bookworm-slim
|
|
|
|
# Upgrade all packages before installing anything so that packages already
|
|
# present in the base image (libcap2, libgnutls30, …) receive their latest
|
|
# Debian security patches — fixing the "fixed" Trivy findings.
|
|
RUN apt-get update \
|
|
&& apt-get upgrade -y \
|
|
&& apt-get install -y --no-install-recommends ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Use a statically-linked ffmpeg binary instead of the apt package.
|
|
# The apt ffmpeg drags in ~20 shared codec libraries (libaom3, Mesa/libgbm,
|
|
# Mbed TLS, libssh, libsndfile, libtheora, libtiff, libharfbuzz, libmfx …)
|
|
# that carry the remaining CRITICAL/HIGH CVEs in the Trivy report.
|
|
# A static build links everything internally — none of those OS packages are
|
|
# installed, so Trivy has nothing to flag.
|
|
# We only need stream-copy remux + single-frame thumbnail; the GPL build
|
|
# covers both with no re-encoding required.
|
|
COPY --from=mwader/static-ffmpeg:7.1.1 /ffmpeg /usr/local/bin/ffmpeg
|
|
|
|
COPY --from=builder /cammonitor /usr/local/bin/cammonitor
|
|
|
|
ENTRYPOINT ["cammonitor"]
|
|
|