FROM python:3.12-slim

# nmap + the NSE vuln scripts the deep profile relies on
RUN apt-get update \
    && apt-get install -y --no-install-recommends nmap ca-certificates curl gnupg \
    && rm -rf /var/lib/apt/lists/*

# v10r1: Trivy for container-image vulnerability scanning (optional but enables
# the Docker image CVE + SBOM features out of the box). Falls back gracefully if
# unavailable. Pinned via the official Aqua Security apt repo.
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
      | sh -s -- -b /usr/local/bin \
    || echo "Trivy install skipped - image CVE scanning will be disabled until a scanner is installed"

WORKDIR /app
COPY requirements.txt .
# Python deps. This also installs paramiko (v13 Patch and Remedy: OS
# updates/upgrades over SSH). paramiko is a pure-Python SSH client - it does NOT
# shell out to the system ssh binary, so no openssh-client package is needed.
# Its native deps (cryptography, cffi, pynacl, bcrypt) ship manylinux wheels for
# this base image, so no compiler/build tooling is required here.
RUN pip install --no-cache-dir -r requirements.txt

COPY app/ ./app/

# Persisted SQLite DB + caches live here; mount a volume to keep history.
VOLUME ["/app/data"]

EXPOSE 5000
CMD ["python", "-m", "app.server", "--host", "0.0.0.0", "--port", "5000"]
