From c43d7f639fb229d8402f09c9957079fa315c8fb1 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 28 Apr 2026 09:42:38 +0200
Subject: [PATCH] harden: swap cameleer-saas runtime stage to Chainguard JRE

Replace eclipse-temurin:21-jre-alpine with cgr.dev/chainguard/jre:openjdk-21
for the SaaS management plane image. Use Chainguard's built-in nonroot user
instead of custom adduser. Build stages unchanged (ephemeral).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 56be9da..969019a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,12 +20,12 @@ COPY src/ src/
 COPY --from=frontend /ui/dist/ src/main/resources/static/
 RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B
 
-# Runtime: target platform (amd64)
-FROM eclipse-temurin:21-jre-alpine
+# Runtime: Chainguard Wolfi-based JRE (glibc, daily CVE refresh, non-root by default)
+FROM cgr.dev/chainguard/jre:openjdk-21
 WORKDIR /app
-RUN addgroup -S cameleer && adduser -S cameleer -G cameleer \
- && mkdir -p /data/jars && chown -R cameleer:cameleer /data
-COPY --from=build /build/target/*.jar app.jar
-USER cameleer
+USER root
+RUN mkdir -p /data/jars && chown -R nonroot:nonroot /data
+COPY --chown=nonroot:nonroot --from=build /build/target/*.jar app.jar
+USER nonroot
 EXPOSE 8080
 ENTRYPOINT ["java", "-jar", "app.jar"]