Use Distroless runtime images (#316)

72636c · web-flow · commit ece7dd45a2f4 · 2021-01-11T13:34:43.000+11:00
Distroless images present a smaller attack surface as they ship without a package manager, shell and the like. These have been promoted out of experimental status since I last checked. https://github.com/GoogleContainerTools/distroless/tree/master/nodejs
diff --git a/.changeset/wise-fans-join.md b/.changeset/wise-fans-join.md
@@ -0,0 +1,5 @@
+---
+'skuba': patch
+---
+
+**template/\*-rest-api:** Use Distroless runtime images
diff --git a/template/express-rest-api/Dockerfile b/template/express-rest-api/Dockerfile
@@ -50,7 +50,7 @@ RUN yarn build
 
 ###
 
-FROM node:12-alpine AS runtime
+FROM gcr.io/distroless/nodejs:12 AS runtime
 
 WORKDIR /workdir
 
@@ -64,4 +64,4 @@ ARG PORT=8001
 ENV PORT ${PORT}
 EXPOSE ${PORT}
 
-CMD node lib/listen
+CMD ["lib/listen.js"]
diff --git a/template/koa-rest-api/Dockerfile b/template/koa-rest-api/Dockerfile
@@ -50,7 +50,7 @@ RUN yarn build
 
 ###
 
-FROM node:12-alpine AS runtime
+FROM gcr.io/distroless/nodejs:12 AS runtime
 
 WORKDIR /workdir
 
@@ -64,4 +64,4 @@ ARG PORT=8001
 ENV PORT ${PORT}
 EXPOSE ${PORT}
 
-CMD node lib/listen
+CMD ["lib/listen.js"]
