BUGFIX/HCMPRE-0009: Adding dependency for docker

[abishekTa-egov]

BUGFIX/HCMPRE-0009: Adding dependency for docker

Summary by CodeRabbit

• Chores
  • The app’s served base path has been renamed from /dashboard-ui to /microplan-ui — assets and dynamic chunk URLs use the new base.
  • Container build adjusted to place built assets under the new path.
  • Note: a fallback reference to the old /dashboard-ui index may remain and could affect fallback behavior.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• .github/workflows/build.yaml is excluded by !**/*.yaml
• build/build-config.yml is excluded by !**/*.yml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

Updated UI path from "/dashboard-ui" to "/microplan-ui" across Dockerfile, nginx config, and Webpack output publicPath; nginx try_files still references the old /dashboard-ui/index.html as a fallback.

Changes

Cohort / File(s)	Summary
Dockerfile final-stage health/micro-ui/web/health-dss/Dockerfile	Changed ENV WORK_DIR from /var/web/dashboard-ui to /var/web/microplan-ui. COPY --from=build /app/web/build ${WORK_DIR}/ updated to the new path. COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf unchanged in behavior (minor formatting diff only).
nginx config location path health/micro-ui/web/health-dss/nginx.conf	Updated served location from /dashboard-ui to /microplan-ui. root, index, and try_files lines remain; try_files still falls back to /dashboard-ui/index.html.
Webpack publicPath health/micro-ui/web/health-dss/webpack.config.js	Updated output.publicPath from "/dashboard-ui/" to "/microplan-ui/" to change base URL for emitted assets and chunk loading.

Sequence Diagram(s)

sequenceDiagram
  participant Browser
  participant Nginx
  participant FileSystem
  participant WebpackAssets as "Built assets (WORK_DIR)"

  Browser->>Nginx: GET /microplan-ui/ (or asset URL /microplan-ui/static/*)
  Nginx->>FileSystem: serve from /var/web/microplan-ui/ (WORK_DIR)
  alt asset exists
    FileSystem-->>Nginx: asset file
    Nginx-->>Browser: 200 + file
  else fallback (SPA route)
    Nginx->>FileSystem: try_files -> /dashboard-ui/index.html
    FileSystem-->>Nginx: index.html
    Nginx-->>Browser: 200 + index.html
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hop through paths, a curious little spring,
/dashboard-ui rebranded to /microplan-ui — what a fling.
Files find new burrows, nginx hums the tune,
A rabbit's soft cheer for this tidy small tune. 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BUGFIX/HCMPRE-0009

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

health/micro-ui/web/health-dss/Dockerfile (1)

37-42: Fix nginx.conf root and location for health-dss

After running the grep, the health/micro-ui/web/health-dss/nginx.conf still contains:

• root /var/web;
• location /dashboard-ui { … try_files … /dashboard-ui/index.html; }

These must be updated to match your new WORK_DIR=/var/web/health-dss:

• In nginx.conf:
– Change root /var/web; → root /var/web/health-dss;
– Change location /dashboard-ui → location /health-dss
– Update any try_files … /dashboard-ui/index.html → try_files $uri $uri/ /health-dss/index.html;

• In your Dockerfile (final stage), consider adding for clarity:

WORKDIR /var/web/health-dss

These fixes are required to avoid 404s.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2ae5fc4 and 25a6273.

⛔ Files ignored due to path filters (2)

• health/micro-ui/web/microplan/package.json is excluded by !**/*.json
• health/micro-ui/web/package.json is excluded by !**/*.json

📒 Files selected for processing (1)

• health/micro-ui/web/health-dss/Dockerfile (1 hunks)

🧰 Additional context used

🪛 Hadolint (2.12.0)

health/micro-ui/web/health-dss/Dockerfile

[info] 22-22: Multiple consecutive RUN instructions. Consider consolidation.

(DL3059)

---

[info] 23-23: Multiple consecutive RUN instructions. Consider consolidation.

(DL3059)

---

[info] 28-28: Multiple consecutive RUN instructions. Consider consolidation.

(DL3059)

⏰ Context from checks skipped due to timeout of 10000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build application arm64
• GitHub Check: Build application amd64
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Consolidate RUNs and pin install to lockfile; reassess use of --ignore-scripts

Good call installing root deps upfront. To reduce layers (DL3059) and improve determinism, consider consolidating and enforcing the lockfile. Also, verify that ignoring scripts doesn’t break builds if any package relies on install/postinstall/prepare scripts.

Apply within this range:

-# ---- FIX: Install main deps before health-dss ----
-RUN yarn config set network-timeout 600000
-RUN yarn install --ignore-scripts
+# ---- FIX: Install main deps before health-dss ----
+RUN yarn config set network-timeout 600000 \
+  && yarn install --frozen-lockfile --ignore-scripts

Additionally, outside this range (nit):
Dockerfile

# collapse these consecutive RUNs too
RUN chmod +x ./install-deps.sh && ./install-deps.sh

To validate that skipping lifecycle scripts is safe, run this repo-scoped check to list any install/postinstall/prepare scripts under web/:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json, os, sys
base = "health/micro-ui/web"
found = []
for root, _, files in os.walk(base):
    if "package.json" in files:
        p = os.path.join(root, "package.json")
        try:
            with open(p) as f:
                data = json.load(f)
            scripts = data.get("scripts", {})
            lifecycles = {k:v for k,v in scripts.items() if k in ("install","postinstall","prepare","preinstall")}
            if lifecycles:
                found.append((p, lifecycles))
        except Exception as e:
            print(f"WARN: could not parse {p}: {e}", file=sys.stderr)
if found:
    print("Lifecycle scripts detected that may be skipped by --ignore-scripts:")
    for p, lc in found:
        print(f"- {p}")
        for k,v in lc.items():
            print(f"    {k}: {v}")
else:
    print("No install/postinstall/prepare scripts found under web/")
PY

Length of output: 87

---

Consolidate RUNs, freeze lockfile, and confirm --ignore-scripts safety

No install/postinstall/prepare scripts were detected under health/micro-ui/web, so using --ignore-scripts is safe. To reduce image layers (DL3059) and ensure deterministic installs, you can consolidate the two RUNs and pin to your lockfile:

-# ---- FIX: Install main deps before health-dss ----
-RUN yarn config set network-timeout 600000
-RUN yarn install --ignore-scripts
+# ---- FIX: Install main deps before health-dss ----
+RUN yarn config set network-timeout 600000 \
+  && yarn install --frozen-lockfile --ignore-scripts

Nit (outside this range): collapse consecutive RUNs for your custom installer too:

# before
RUN chmod +x ./install-deps.sh
RUN ./install-deps.sh

# after
RUN chmod +x ./install-deps.sh && ./install-deps.sh

🧰 Tools

🪛 Hadolint (2.12.0)

[info] 22-22: Multiple consecutive RUN instructions. Consider consolidation.

(DL3059)

---

[info] 23-23: Multiple consecutive RUN instructions. Consider consolidation.

(DL3059)

🤖 Prompt for AI Agents

In health/micro-ui/web/health-dss/Dockerfile around lines 21 to 24, consolidate
the two RUNs into a single layer and make installs deterministic: combine the
yarn config set network-timeout and yarn install into one RUN and use the
lockfile (yarn install --frozen-lockfile) while retaining --ignore-scripts since
no install/postinstall/prepare scripts exist; also collapse any adjacent RUN
chmod +x and ./install-deps.sh into a single RUN with && as a follow-up
refinement.

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (3)

health/micro-ui/web/health-dss/Dockerfile (3)

2-3: Avoid apk update layer; rely on --no-cache with apk add

apk update creates an extra layer and cache that isn’t needed here.

-RUN apk update
-RUN apk add --no-cache 'git>2.30.0'
+RUN apk add --no-cache 'git>2.30.0'

---

1-1: Node 14 is EOL; consider updating the build base image

If the repo permits, upgrade to an LTS (e.g., node:18-alpine or node:20-alpine) to receive security updates and better performance.

Example:

-FROM node:14-alpine3.16 AS build
+FROM node:18-alpine AS build

Confirm compatibility with your Yarn/workspaces and any native addons before bumping.

---

4-9: COPY with ARG WORK_DIR: provide a sane default to avoid CI breakage

If build-arg WORK_DIR isn’t passed, COPY ${WORK_DIR} . will fail. Set a default to the intended subdir to make builds reproducible.

-ARG WORK_DIR
+ARG WORK_DIR=health/micro-ui/web

♻️ Duplicate comments (2)

health/micro-ui/web/health-dss/Dockerfile (2)

23-24: Collapse consecutive RUNs for install script to reduce image layers

Merging these commands into a single RUN improves caching and reduces layers.

-RUN chmod +x ./install-deps.sh
-RUN ./install-deps.sh
+RUN chmod +x ./install-deps.sh && ./install-deps.sh

---

30-33: Combine Yarn steps and lock installs to the lockfile for determinism

Use a single RUN and enforce the lockfile to avoid dependency drift in CI.

-RUN yarn config set network-timeout 600000
-
-# Install dependencies
-RUN yarn install
+RUN yarn config set network-timeout 600000 \
+  && yarn install --frozen-lockfile

If any workspace relies on install/postinstall/prepare scripts, remove --ignore-scripts only for those packages or confirm none are present (prior verification indicated none under web/). Want me to re-run a repo-scoped check script to reconfirm?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 057ec66 and fe45e43.

📒 Files selected for processing (1)

• health/micro-ui/web/health-dss/Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

health/micro-ui/web/health-dss/Dockerfile

[LOW] 1-45: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

---

[LOW] 1-45: Ensure that a user for the container has been created

(CKV_DOCKER_3)

⏰ Context from checks skipped due to timeout of 10000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

🛠️ Refactor suggestion

Harden runtime image: add non-root user and HEALTHCHECK

The final image runs as root and lacks a healthcheck. Set a non-root user and add a simple HTTP check. Nginx (alpine) provides an nginx user by default.

 FROM nginx:mainline-alpine
 #FROM ghcr.io/egovernments/nginx:mainline-alpine
-ENV WORK_DIR=/var/web/d
+ENV WORK_DIR=/var/web/d
 
 RUN mkdir -p ${WORK_DIR}
 
 COPY --from=build /app/web/build ${WORK_DIR}/
 COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
+RUN chown -R nginx:nginx ${WORK_DIR} /var/cache/nginx /var/run
+USER nginx
+# BusyBox wget is available in alpine; adjust path if your server root differs
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 CMD wget -q --spider http://127.0.0.1:80/ || exit 1

Note: ensure nginx.conf’s server root matches ${WORK_DIR} (or the default /usr/share/nginx/html) for this healthcheck to succeed.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM nginx:mainline-alpine
	#FROM ghcr.io/egovernments/nginx:mainline-alpine
	ENV WORK_DIR=/var/web/dashboard-ui
	ENV WORK_DIR=/var/web/d
	RUN mkdir -p ${WORK_DIR}
	COPY --from=build /app/web/build ${WORK_DIR}/
	COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
	COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
	FROM nginx:mainline-alpine
	#FROM ghcr.io/egovernments/nginx:mainline-alpine
	ENV WORK_DIR=/var/web/d
	RUN mkdir -p ${WORK_DIR}
	COPY --from=build /app/web/build ${WORK_DIR}/
	COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
	RUN chown -R nginx:nginx ${WORK_DIR} /var/cache/nginx /var/run
	USER nginx
	# BusyBox wget is available in alpine; adjust path if your server root differs
	HEALTHCHECK --interval=30s --timeout=3s --retries=3 CMD wget -q --spider http://127.0.0.1:80/ || exit 1

🧰 Tools

🪛 Checkov (3.2.334)

[LOW] 1-45: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

---

[LOW] 1-45: Ensure that a user for the container has been created

(CKV_DOCKER_3)

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Potential runtime breakage: WORK_DIR change likely mismatches nginx.conf root

You switched WORK_DIR to /var/web/d but nginx won’t expand ENV vars inside its config by default. If nginx.conf still points to the previous path (e.g., /var/web/dashboard-ui), static assets will 404. Either revert WORK_DIR or update nginx.conf’s root to the new path.

Apply this to keep the previous path consistent (safer unless nginx.conf was updated accordingly):

-ENV WORK_DIR=/var/web/d
+ENV WORK_DIR=/var/web/dashboard-ui

If the new path is intentional, ensure nginx.conf uses /var/web/d (or template it and render at runtime), then keep the WORK_DIR change. Want me to generate a sed-based templating step or an envsubst-based entrypoint?

---

🏁 Script executed:

#!/bin/bash
set -e
# Locate and inspect nginx.conf under health-dss
NGINX_CONF=$(find health/micro-ui/web/health-dss -type f -name nginx.conf)
echo "Found nginx.conf at: $NGINX_CONF"
grep -nE '^\s*root\s+' "$NGINX_CONF" || echo "No root directive found."

Length of output: 350

---

Mismatch between WORK_DIR and nginx root

The nginx.conf at health/micro-ui/web/health-dss/nginx.conf (line 8) defines

root /var/web;

but the Dockerfile now sets

ENV WORK_DIR=/var/web/d

assets are copied into /var/web/d, so nginx will 404 on requests.

Action required—pick one of the following fixes:

• Revert Dockerfile to match nginx.conf:

- ENV WORK_DIR=/var/web/d
+ ENV WORK_DIR=/var/web

• Update nginx.conf to point at the new directory:

--- health/micro-ui/web/health-dss/nginx.conf
@@ -7,7 +7,7 @@
     # …
-    root /var/web;
+    root /var/web/d;
     # …

If you intend to keep a variable path, consider templating the root directive (e.g. with envsubst or a sed-based entrypoint) so WORK_DIR and nginx stay in sync.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ENV WORK_DIR=/var/web/d
	RUN mkdir -p ${WORK_DIR}
	COPY --from=build /app/web/build ${WORK_DIR}/
	COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
	COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
	ENV WORK_DIR=/var/web
	RUN mkdir -p ${WORK_DIR}
	COPY --from=build /app/web/build ${WORK_DIR}/
	COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf

🧰 Tools

🪛 Checkov (3.2.334)

[LOW] 1-45: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

---

[LOW] 1-45: Ensure that a user for the container has been created

(CKV_DOCKER_3)

🤖 Prompt for AI Agents

In health/micro-ui/web/health-dss/Dockerfile around lines 40–45 there is a
mismatch: WORK_DIR is set to /var/web/d but nginx.conf uses root /var/web so
assets will 404; fix by either (A) revert WORK_DIR to /var/web so COPY targets
match nginx.conf, or (B) update health/micro-ui/web/health-dss/nginx.conf root
directive to /var/web/d so nginx serves the copied files, and then rebuild the
image; if you want a configurable path keep WORK_DIR and modify the Dockerfile
to template the nginx.conf at container start (e.g., using envsubst or sed in an
entrypoint) so nginx root is set from WORK_DIR consistently.

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

health/micro-ui/web/health-dss/nginx.conf (1)

6-11: Fix SPA fallback for /microplan-ui in nginx.conf

The try_files directive in the location /microplan-ui block still points to /dashboard-ui/index.html, so client-side routes under /microplan-ui will 404 or load the wrong app. Update it to serve the microplan UI’s own index.html.

• File: health/micro-ui/web/health-dss/nginx.conf (lines 6–11)

Apply:

   location /microplan-ui {
     root /var/web;
     index index.html index.htm;
-    try_files $uri $uri/ /dashboard-ui/index.html;
+    try_files $uri $uri/ /microplan-ui/index.html;
   }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fe45e43 and 2ac070b.

⛔ Files ignored due to path filters (2)

• build/build-config.yml is excluded by !**/*.yml
• health/micro-ui/web/health-dss/package.json is excluded by !**/*.json

📒 Files selected for processing (3)

• health/micro-ui/web/health-dss/Dockerfile (1 hunks)
• health/micro-ui/web/health-dss/nginx.conf (1 hunks)
• health/micro-ui/web/health-dss/webpack.config.js (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.js

⚙️ CodeRabbit Configuration File

check

Files:

• health/micro-ui/web/health-dss/webpack.config.js

🪛 Checkov (3.2.334)

health/micro-ui/web/health-dss/Dockerfile

[LOW] 1-45: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

---

[LOW] 1-45: Ensure that a user for the container has been created

(CKV_DOCKER_3)

⏰ Context from checks skipped due to timeout of 10000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

WORK_DIR aligns; harden runtime image (non-root + healthcheck)

The new WORK_DIR (/var/web/microplan-ui) matches nginx root mapping. Strengthen security and operability by running as non-root and adding a basic healthcheck.

Apply:

 ENV WORK_DIR=/var/web/microplan-ui
 
 RUN mkdir -p ${WORK_DIR}
 
 COPY --from=build /app/web/build ${WORK_DIR}/
 COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
+RUN chown -R nginx:nginx ${WORK_DIR} /var/cache/nginx /var/run
+USER nginx
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 CMD wget -q --spider http://127.0.0.1:80/microplan-ui/ || exit 1

Additional note (outside this range): consider upgrading the build stage to an LTS base (Node 18/20) to avoid EOL risks:
Dockerfile

FROM node:18-alpine AS build

Confirm alignment across files:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Dockerfile WORK_DIR:"; rg -nP '^ENV\s+WORK_DIR=.*microplan-ui' health/micro-ui/web/health-dss/Dockerfile
echo "nginx location/root:"; rg -nP 'location\s+/microplan-ui|^\s*root\s+/var/web\b' health/micro-ui/web/health-dss/nginx.conf -n
echo "webpack publicPath:"; rg -nP 'publicPath\s*:\s*["\']/microplan-ui/' health/micro-ui/web/health-dss/webpack.config.js -n

Length of output: 511

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "webpack publicPath:" 
rg -nP "publicPath\s*:\s*[\"']/microplan-ui/" health/micro-ui/web/health-dss/webpack.config.js -n

Length of output: 207

---

Harden runtime image: run as non-root & add basic healthcheck

Alignment across Dockerfile, nginx.conf and webpack.config.js confirmed. To strengthen security and observability, consider this optional refactor in your final stage:

 ENV WORK_DIR=/var/web/microplan-ui

 RUN mkdir -p ${WORK_DIR}

 COPY --from=build /app/web/build ${WORK_DIR}/
 COPY --from=build /app/web/health-dss/nginx.conf /etc/nginx/conf.d/default.conf
+RUN chown -R nginx:nginx ${WORK_DIR} /var/cache/nginx /var/run
+USER nginx
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+  CMD wget -q --spider http://127.0.0.1:80/microplan-ui/ || exit 1

Optional upgrade for build stage to avoid EOL risk:

FROM node:18-alpine AS build

🧰 Tools

🪛 Checkov (3.2.334)

[LOW] 1-45: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

---

[LOW] 1-45: Ensure that a user for the container has been created

(CKV_DOCKER_3)

🤖 Prompt for AI Agents

In health/micro-ui/web/health-dss/Dockerfile around lines 40 to 45, the runtime
stage currently runs as root and lacks a container healthcheck; update the final
stage to create a non-root user, chown the WORK_DIR and served files to that
user, switch to that user with USER before CMD, and add a basic HEALTHCHECK that
probes nginx (e.g., curl to localhost:80 or use wget) with sensible retries and
interval; optionally, also update the build stage base image to node:18-alpine
to avoid EOL risk if desired.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Public path change looks good; verify router/base href alignment

Switching output.publicPath to "/microplan-ui/" aligns with nginx and Dockerfile. Ensure your SPA router basename (e.g., React Router) or the in public/index.html also reflects "/microplan-ui/" to avoid broken asset/routes.

Run to find lingering "/dashboard-ui" references and check base href:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Any legacy path refs in this app?
rg -nC2 -g 'health/micro-ui/web/health-dss/**' '/dashboard-ui\b' || echo "No legacy /dashboard-ui refs found under health-dss."

# Confirm webpack publicPath
rg -nP 'publicPath\s*:\s*["\']([^"\']+)["\']' health/micro-ui/web/health-dss/webpack.config.js

# Inspect base href in any index.html files
fd -a --strip-cwd-prefix index.html health/micro-ui/web/health-dss | xargs -r -I{} rg -nH -P '<base\s+href=["\']([^"\']+)["\']' "{}" || echo "No <base href> tags found."

Length of output: 527

---

Let’s re-run with simpler commands to confirm both the webpack publicPath and any <base href> tags:

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

# 1. Check webpack publicPath setting
grep -RIn "publicPath" health/micro-ui/web/health-dss/webpack.config.js || echo "publicPath not found in webpack.config.js"

# 2. Look for any <base href> in index.html files
grep -RIn "<base[^>]*href" health/micro-ui/web/health-dss || echo "No <base href> tags found"

Length of output: 249

---

Align nginx.conf and HTML base href with the new publicPath

We’ve confirmed that output.publicPath is correctly set to "/microplan-ui/", but there are two outstanding alignment issues that will break routing/assets if not addressed:

• health/micro-ui/web/health-dss/nginx.conf (line 10):

try_files $uri $uri/ /dashboard-ui/index.html;

Update to:

try_files $uri $uri/ /microplan-ui/index.html;

• No <base href> found in your HTML templates. In your main index.html (e.g., public/index.html), add inside <head>:

<base href="/microplan-ui/">

• Ensure your SPA router (e.g., React Router’s <BrowserRouter basename="…">) also uses /microplan-ui/ so client-side routes resolve correctly.

🤖 Prompt for AI Agents

In health/micro-ui/web/health-dss/webpack.config.js around lines 34-35 the
output.publicPath was changed to "/microplan-ui/", but you must also update
health/micro-ui/web/health-dss/nginx.conf (line 10) to point try_files to
/microplan-ui/index.html instead of /dashboard-ui/index.html, add a <base
href="/microplan-ui/"> element inside the <head> of your main HTML template
(e.g., public/index.html), and ensure the SPA router (e.g., React Router
<BrowserRouter basename="...">) is configured with basename="/microplan-ui/" so
assets and client-side routes resolve correctly.