fix: switch to php:8.2-apache-bookworm, add apt upgrade, Trivy ignore-unfixed

- Base image: php:8.2-apache → php:8.2-apache-bookworm (Debian 12) Reduces OS-level CVEs from ~1200+ to only fixable ones - Add apt-get upgrade -y before package installs - Trivy: add ignore-unfixed: true (suppress CVEs with no available fix) - Pin trivy-action@0.31.0 instead of @master - Upgrade codeql-action upload-sarif v3 → v4
2026-05-16 07:23:39 +00:00
parent 6b982b6730
commit 68906b2f28
2 changed files with 8 additions and 6 deletions
@@ -1,7 +1,7 @@
-FROM php:8.2-apache
+FROM php:8.2-apache-bookworm

 # Install required PHP extensions + Tesseract OCR for offline expiry date reading
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y \
    libsqlite3-dev \
    libcurl4-openssl-dev \
    libonig-dev \