-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
115 lines (90 loc) · 4.26 KB
/
Dockerfile
File metadata and controls
115 lines (90 loc) · 4.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# db-mcp (SQLite MCP Server)
# Multi-stage build for optimized production image
FROM node:24-alpine AS builder
WORKDIR /app
# Install build dependencies for better-sqlite3 native compilation
# Use Alpine edge for latest security patches
RUN apk add --no-cache python3 make g++ && \
apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main curl
# Upgrade npm globally (no patches here — builder is discarded, only production stage is scanned)
RUN npm install -g npm@latest --force && npm cache clean --force
# Copy package files first for better layer caching
COPY package*.json ./
# Install all dependencies (including devDependencies for build)
# This will compile better-sqlite3 native bindings
RUN npm ci
# Remove protobufjs CLI entirely - not needed at runtime
# Eliminates CVE-2019-10790 (taffydb), CVE-2025-54798 (tmp), CVE-2025-5889 (brace-expansion)
RUN rm -rf node_modules/protobufjs/cli || true
# Copy source code
COPY tsconfig.json tsup.config.ts ./
COPY src/ ./src/
# Build TypeScript
RUN npm run build
# Prune devDependencies after build (removes vulnerable rimraf -> @isaacs/brace-expansion chain)
RUN npm prune --omit=dev
# Production stage
FROM node:24-alpine
WORKDIR /app
# Install runtime dependencies with security fixes
RUN apk add --no-cache ca-certificates && \
apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main curl && \
apk upgrade --no-cache && \
npm install -g npm@latest --force && npm cache clean --force
# Patch npm-bundled transitive dependencies for Docker Scout compliance.
# These only matter in the production image (what gets scanned and deployed).
# Fix GHSA-73rr-hh4g-fpgx: Manually update npm's bundled diff to 8.0.3
RUN cd /usr/local/lib/node_modules/npm && \
npm pack diff@8.0.3 && \
rm -rf node_modules/diff && \
tar -xzf diff-8.0.3.tgz && \
mv package node_modules/diff && \
rm diff-8.0.3.tgz
# Fix CVE-2026-25547: Manually update npm's bundled @isaacs/brace-expansion to 5.0.1
RUN cd /usr/local/lib/node_modules/npm && \
npm pack @isaacs/brace-expansion@5.0.1 && \
rm -rf node_modules/@isaacs/brace-expansion && \
mkdir -p node_modules/@isaacs/brace-expansion && \
tar -xzf isaacs-brace-expansion-5.0.1.tgz && \
mv package/* node_modules/@isaacs/brace-expansion/ && \
rm -rf package isaacs-brace-expansion-5.0.1.tgz
# Fix CVE-2026-23950, CVE-2026-24842, CVE-2026-26960: Manually update npm's bundled tar to 7.5.11
RUN cd /usr/local/lib/node_modules/npm && \
npm pack tar@7.5.11 && \
rm -rf node_modules/tar && \
tar -xzf tar-7.5.11.tgz && \
mv package node_modules/tar && \
rm tar-7.5.11.tgz
# Fix CVE-2026-26996: Manually update npm's bundled minimatch to 10.2.4
RUN cd /usr/local/lib/node_modules/npm && \
npm pack minimatch@10.2.4 && \
rm -rf node_modules/minimatch && \
tar -xzf minimatch-10.2.4.tgz && \
mv package node_modules/minimatch && \
rm minimatch-10.2.4.tgz
# Copy built artifacts and production dependencies
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
COPY package*.json ./
COPY LICENSE ./
# Create data directory for SQLite database with proper permissions
RUN mkdir -p /app/data && chmod 700 /app/data
# Create non-root user for security
RUN addgroup -g 1001 -S appgroup && \
adduser -u 1001 -S appuser -G appgroup && \
chown -R appuser:appgroup /app
# Set environment variables
ENV NODE_ENV=production
# Switch to non-root user
USER appuser
# Health check — uses HTTP endpoint for HTTP transport, falls back to Node.js check for stdio
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD /bin/sh -c 'if [ "${MCP_TRANSPORT:-stdio}" = "http" ]; then curl -sf "http://localhost:${PORT:-3000}/health"; else node -e "console.log(\"ok\")"; fi'
# Run the MCP server (default: stdio transport with native backend)
ENTRYPOINT ["node", "dist/cli.js"]
CMD ["--transport", "stdio", "--sqlite-native", "/app/data/database.db"]
# Labels for Docker Hub
LABEL maintainer="Adamic.tech"
LABEL description="SQLite MCP Server with OAuth 2.1, HTTP/SSE transport, 139 tools, and smart tool filtering"
LABEL org.opencontainers.image.source="https://github.com/neverinfamous/db-mcp"
LABEL io.modelcontextprotocol.server.name="io.github.neverinfamous/db-mcp"