Fix critical CVEs by using official Caddy image instead of Alpine package

Copy Caddy binary from caddy:2-alpine multi-stage build to avoid stale smallstep/certificates (CVE CVSS 10) and grpc vulnerabilities shipped with the Alpine caddy package.
2026-03-30 16:36:37 +02:00
parent 651e0d7ab0
commit acac49969d
1 changed files with 6 additions and 1 deletions
--- a/7
+++ b/7
@@ -1,7 +1,12 @@
+FROM caddy:2-alpine AS caddy
+
 FROM php:8.3-fpm-alpine AS base

+# Copy Caddy binary from official image (avoids stale Alpine package)
+COPY --from=caddy /usr/bin/caddy /usr/sbin/caddy
+
 # Install PHP curl extension (needed for API proxies)
-RUN apk add --no-cache caddy curl-dev \
+RUN apk add --no-cache curl-dev \
    && docker-php-ext-install curl \
    && rm -rf /var/cache/apk/*