Zion Boggan
repos/CI/CD Supply Chain Security/commits/e4e04e4
zionboggan.com ↗
Code Commits Tags

containerized flask demo + hardened dockerfile

e4e04e4   Zion Boggan committed on May 1, 2026 (1 month ago)
.gitignore +7 -0
@@ -0,0 +1,7 @@
+sbom.spdx.json
+*.sig
+*.pem
+cosign.key
+__pycache__/
+*.pyc
+.venv/
Dockerfile +21 -0
@@ -0,0 +1,21 @@
+FROM python:3.11-slim AS base
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+ PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+RUN useradd --create-home --uid 10001 appuser
+
+COPY app/requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY app/ .
+
+USER appuser
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=30s --timeout=3s CMD python -c "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:8080/healthz').status==200 else 1)"
+
+ENTRYPOINT ["gunicorn", "--bind", "0.0.0.0:8080", "--workers", "2", "main:app"]
app/main.py +19 -0
@@ -0,0 +1,19 @@
+import os
+
+from flask import Flask, jsonify
+
+app = Flask(__name__)
+
+
+@app.get("/")
+def index():
+ return jsonify(service="supply-chain-demo", version=os.environ.get("APP_VERSION", "dev"))
+
+
+@app.get("/healthz")
+def healthz():
+ return jsonify(status="ok")
+
+
+if __name__ == "__main__":
+ app.run(host="0.0.0.0", port=8080)
app/requirements.txt +2 -0
@@ -0,0 +1,2 @@
+Flask==3.0.3
+gunicorn==23.0.0