Skip to content

feat: Add optimized Docker implementation with banking-grade security#7

Open
devin-ai-integration[bot] wants to merge 1 commit intomasterfrom
devin/1753786523-docker-implementation
Open

feat: Add optimized Docker implementation with banking-grade security#7
devin-ai-integration[bot] wants to merge 1 commit intomasterfrom
devin/1753786523-docker-implementation

Conversation

@devin-ai-integration
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot commented Jul 29, 2025

feat: Add optimized Docker implementation with banking-grade security

Summary

This PR implements a comprehensive Docker solution for the banking application with multi-stage builds, security hardening, and development/production configurations. The implementation includes:

Core Docker Infrastructure:

  • Multi-stage Dockerfiles for both backend (NestJS) and frontend (React) with optimized production builds
  • Separate development Dockerfiles with hot reload support
  • Comprehensive docker-compose setup with PostgreSQL, Redis, and service networking
  • Security scanning integration with Trivy and GitHub Actions workflow

Security Features:

  • Non-root container execution (nestjs/reactjs users with UID 1001)
  • Alpine Linux base images for minimal attack surface
  • Security headers configuration in Nginx
  • Read-only filesystems and security options in production
  • Proper secrets management and environment variable handling

Development Experience:

  • Hot reload for both frontend and backend in development mode
  • Volume mounts for source code changes (frontend only due to permission constraints)
  • Health checks for all services with proper startup dependencies
  • Database initialization with sample data

Production Optimizations:

  • Multi-stage builds to reduce final image size
  • Layer caching and .dockerignore optimization
  • Nginx-based frontend serving with security headers
  • Resource constraints and restart policies

Review & Testing Checklist for Human

  • Security Configuration Review: Verify non-root user configurations, file permissions (755/775), and security headers in nginx.conf meet banking-grade requirements
  • Complete Stack Testing: Run docker-compose up and verify all 4 services start healthy, test frontend at http://localhost:3000 and API at http://localhost:4000/bank/Currencies
  • Production Build Verification: Build production images with docker build --target production for both applications and verify they serve correctly
  • Environment Variables & Secrets: Review .env.prod.example and docker-compose configurations to ensure no hardcoded secrets and proper variable handling
  • Database Initialization: Verify init-db.sql creates required tables and sample data correctly for the banking application

Recommended Test Plan:

  1. Clean Docker environment: docker system prune -f
  2. Build and run development stack: docker-compose up -d
  3. Verify health: docker-compose ps (all should show "healthy")
  4. Test frontend: Access http://localhost:3000 and verify banking UI loads
  5. Test backend: curl http://localhost:4000/bank/Currencies should return currency data
  6. Test production builds: Build both production images and verify they start correctly
  7. Security scan: Run docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image bank-server:prod

Diagram

%%{ init : { "theme" : "default" }}%%
graph TB
    subgraph "Frontend (bank-client)"
        ClientDockerfile["Dockerfile<br/>(Multi-stage)"]:::major-edit
        ClientDockerfileDev["Dockerfile.dev<br/>(Development)"]:::major-edit
        ClientDockerignore[".dockerignore"]:::major-edit
        NginxConf["nginx.conf<br/>(Security headers)"]:::major-edit
        ApiJs["app/utils/api.js<br/>(ENV config)"]:::minor-edit
        WebpackBase["webpack.base.babel.js<br/>(Node 18 fixes)"]:::minor-edit
    end
    
    subgraph "Backend (bank-server)"
        ServerDockerfile["Dockerfile<br/>(Multi-stage)"]:::major-edit
        ServerDockerfileDev["Dockerfile.dev<br/>(Development)"]:::major-edit
        ServerDockerignore[".dockerignore"]:::major-edit
    end
    
    subgraph "Infrastructure"
        DockerCompose["docker-compose.yml<br/>(Dev stack)"]:::major-edit
        DockerComposeProd["docker-compose.prod.yml<br/>(Production)"]:::major-edit
        InitDb["init-db.sql<br/>(Database setup)"]:::major-edit
        SecurityScan["security-scan.yml<br/>(Trivy integration)"]:::major-edit
    end
    
    DockerCompose --> ClientDockerfileDev
    DockerCompose --> ServerDockerfileDev
    DockerCompose --> InitDb
    ClientDockerfile --> NginxConf
    ServerDockerfile --> ServerDockerignore
    ClientDockerfile --> ClientDockerignore
    
    subgraph Legend
        L1["Major Edit"]:::major-edit
        L2["Minor Edit"]:::minor-edit
        L3["Context/No Edit"]:::context
    end
    
    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF
Loading

Notes

Key Implementation Decisions:

  • Permission Resolution: Development containers run as root to avoid volume mount permission issues, while production uses non-root users (nestjs/reactjs with UID 1001)
  • Webpack Compatibility: Disabled offline-plugin and image-webpack-loader due to Node.js 18 compatibility issues and OpenSSL legacy provider requirements
  • Health Check Strategy: Uses /bank/Currencies endpoint for backend health checks as it's publicly accessible and returns data
  • Volume Mount Strategy: Only frontend uses volume mounts in development; backend rebuilds on changes to avoid permission conflicts

Security Considerations:

  • All production containers run as non-root users with proper file ownership
  • Alpine Linux base images for minimal attack surface
  • Security headers configured in Nginx (CSP, HSTS, X-Frame-Options)
  • No secrets hardcoded in configurations
  • Read-only filesystems where possible

Potential Risks:

  • Development/production permission model differences could mask issues
  • Webpack configuration changes may affect caching or performance
  • Complex service dependencies require proper startup ordering

Link to Devin run: https://app.devin.ai/sessions/55a8838ca29e44f7abba8897acb7e9ea
Requested by: @akkp-windsurf (Arthur Poon)

@devin-ai-integration @arthur-cog-sonic
feat: Add optimized Docker implementation with multi-stage builds
996fc74 
- Add multi-stage Dockerfile with development and production targets
- Add separate Dockerfile.dev for development with hot reload
- Add .dockerignore to optimize build context
- Add nginx.conf for production serving with security headers
- Configure non-root user (reactjs/nginx-app) for security
- Add health checks and proper signal handling
- Optimize image layers and reduce final image size
- Fix webpack configuration for Node.js 18 compatibility
- Configure API base URL via environment variable
- Include banking-grade security practices

Co-Authored-By: Arthur Poon <arthur.poon@windsurf.com>
@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Jul 29, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants