chore: bump nginxinc/nginx-unprivileged from aec540f to ccbac1a in /docker/web

[dependabot]

Bumps nginxinc/nginx-unprivileged from aec540f to ccbac1a.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Aureliolo]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7d77c6f8-85bb-4074-b4bc-72ad04f9d813

📥 Commits

Reviewing files that changed from the base of the PR and between 470ca72 and 0a98109.

📒 Files selected for processing (1)

• docker/web/Dockerfile

📜 Recent review details

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T07:07:34.946Z
Learning: Applies to .github/workflows/**/*.yml : Dependabot: daily uv + github-actions + npm + pre-commit + docker + gomod updates, grouped minor/patch. Use `/review-dep-pr` to review Dependabot PRs before merging

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Dependabot: auto-updates Docker image digests and versions daily.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to docker/{Dockerfile*,compose.yml} : Docker: Backend uses 3-stage build (builder → setup → distroless runtime), Chainguard Python, non-root (UID 65532), CIS-hardened. Web uses nginxinc/nginx-unprivileged, Vue 3 SPA with PrimeVue + Tailwind CSS, SPA routing, API/WebSocket proxy to backend.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T07:07:34.946Z
Learning: Applies to docker/* : All Dockerfiles: 3-stage build (builder → setup → distroless runtime) using Chainguard Python base, non-root UID (65532 for backend/web, 10001 for sandbox), CIS-hardened. Run hadolint linting locally and in CI

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T07:07:34.946Z
Learning: Applies to .pre-commit-config.yaml : Pre-commit hooks: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-json, check-merge-conflict, check-added-large-files, no-commit-to-branch (main), ruff check+format, gitleaks, hadolint. Pre-push (local): mypy + pytest unit tests + golangci-lint + go vet + go test (CLI, conditional on `cli/**/*.go`). Autoupdate disabled (`autoupdate_schedule: never`) — Dependabot owns version bumps

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Dependabot: auto-updates Docker image digests and versions daily.

Applied to files:

• docker/web/Dockerfile

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to docker/{Dockerfile*,compose.yml} : Docker: Backend uses 3-stage build (builder → setup → distroless runtime), Chainguard Python, non-root (UID 65532), CIS-hardened. Web uses nginxinc/nginx-unprivileged, Vue 3 SPA with PrimeVue + Tailwind CSS, SPA routing, API/WebSocket proxy to backend.

Applied to files:

• docker/web/Dockerfile

📚 Learning: 2026-03-16T07:07:34.946Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T07:07:34.946Z
Learning: Applies to docker/* : All Dockerfiles: 3-stage build (builder → setup → distroless runtime) using Chainguard Python base, non-root UID (65532 for backend/web, 10001 for sandbox), CIS-hardened. Run hadolint linting locally and in CI

Applied to files:

• docker/web/Dockerfile

📚 Learning: 2026-03-16T07:07:34.946Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T07:07:34.946Z
Learning: Applies to .github/workflows/docker.yml : Builds backend + web + sandbox images, scans (Trivy critical = hard fail, HIGH = warn-only; Grype critical cutoff; CIS Docker Benchmark v1.6.0). Signs with cosign. SLSA L3 provenance via `actions/attest-build-provenance`. CVE triage via `.github/.trivyignore.yaml` and `.github/.grype.yaml`. Images only pushed after scans pass. Triggers on main push and version tags (`v*`)

Applied to files:

• docker/web/Dockerfile

🔇 Additional comments (1)

docker/web/Dockerfile (1)

24-24: Digest-pinned nginx base image bump is clean and low-risk.

Line 24 keeps the secure/reproducible tag@sha256 pattern intact, and this change is scoped to the base image digest only.

Based on learnings: Dependabot auto-updates Docker image digests and versions daily.

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated base container image for the web server with the latest version.

Walkthrough

The Stage 2 base image in the Docker build file is updated by replacing the nginx unprivileged image digest with a different version. No build steps, runtime configuration, control flow, or error handling are modified.

Changes

Cohort / File(s)	Summary
Docker Image Update docker/web/Dockerfile	Updated nginx unprivileged base image digest in Stage 2 from sha256:aec540f08f99df3c830549d5dd7bfaf63e01cbbb499e37400c5af9f8e8554e9f to sha256:ccbac1a4c20a8b41c5dd1691bd91d63eda3b7989d643a33fd47841838519bfb9.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping the nginxinc/nginx-unprivileged Docker image digest from one commit hash to another in the /docker/web directory.
Description check	✅ Passed	The description is directly related to the changeset, clearly stating the Docker dependency update from commit aec540f to ccbac1a for nginxinc/nginx-unprivileged.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/docker/docker/web/nginxinc/nginx-unprivileged-ccbac1a

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch dependabot/docker/docker/web/nginxinc/nginx-unprivileged-ccbac1a

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}