[FEATURE] Add nodejs-secure example (before/after pair with nodejs-vulnerable)

[Ayush7614]

Summary

Add examples/nodejs-secure/: a hardened Node.js Dockerfile that pairs with the existing examples/nodejs-vulnerable/ demo. Together they form a high-impact before/after learning path for DockSec users.

Problem Statement

We have an intentionally weak Node example (nodejs-vulnerable) but no in-repo remediation counterpart. Users cannot easily:

• Compare Hadolint warnings side by side
• See security score improvement after fixes
• Use AI remediation output against a concrete "fixed" reference Dockerfile

This gap reduces the educational value of the examples directory and makes demos harder for contributors and OWASP talks.

Proposed Solution

Add examples/nodejs-secure/ with:

Practice	Implementation
Pinned base image	node:22-bookworm-slim (or current LTS, not latest)
Multi-stage build	deps / build / runtime stages
Least privilege	USER node (or dedicated appuser)
Dependency hygiene	npm ci --omit=dev in build stage
Smaller context	.dockerignore (exclude node_modules, .git)
No secrets in image	Remove hardcoded ENV API_KEY; document runtime secrets
Hardened apt (if needed)	--no-install-recommends, clean apt lists
Production CMD	NODE_ENV=production, minimal runtime files copied

Include:

• Dockerfile
• package.json, server.js (can mirror vulnerable app behavior)
• .dockerignore
• README.md with scan commands and expected score higher than vulnerable example

Example usage:

# Before (weak)
docksec examples/nodejs-vulnerable/Dockerfile --scan-only

# After (hardened)
docker build -t docksec-example-node-secure:local examples/nodejs-secure
docksec examples/nodejs-secure/Dockerfile -i docksec-example-node-secure:local --scan-only

Update examples/README.md with a "Node.js remediation path" row linking both folders.

Why this example is high value

1. Completes the story - vulnerable + secure pair is the Advanced Features are added #1 pattern security educators use
2. Validates DockSec value - measurable score and Hadolint delta in one repo
3. Common stack - Node is widely used in containerized apps
4. AI-friendly - clear remediation narrative for LLM explanations
5. Low overlap - distinct from existing Python and Go examples

Alternatives considered

Alternative	Why lower priority now
Docker Compose multi-service stack	Higher complexity; better as follow-up issue
CI workflow template	Already tracked in #49
nginx / Redis sidecar	Narrower learning path

Use Case

• Individual developers
• DevOps teams
• Security teams
• CI/CD pipelines
• OWASP chapter demos / workshops

Acceptance Criteria

• examples/nodejs-secure/ builds successfully with docker build
• docksec ... --scan-only runs on Dockerfile and built image
• Hadolint warning count is lower than nodejs-vulnerable
• Security score is higher than vulnerable example (document actual scores in README)
• No real secrets or credentials in repo
• examples/README.md updated with remediation path

Related Issues

• [FEATURE] Add examples directory and root .dockerignore #90 - Examples directory and .dockerignore (foundation)
• [FEATURE] Add GitHub Actions workflow template for automated Docker security scanning in CI #49 - GitHub Actions CI template (complementary, not duplicate)

[Ayush7614]

I'd like to work on this issue.

Plan:

1. Add examples/nodejs-secure/ with multi-stage Dockerfile, .dockerignore, and README
2. Mirror the vulnerable app's HTTP behavior so scans are comparable
3. Run docksec on both examples and document Hadolint + score delta in the README
4. Update examples/README.md with a Node.js before/after remediation path

Depends on: #90 (examples directory landing on main) - can stack on the same branch/PR if helpful.

Happy to take this as my first contribution if maintainers are good with the scope above.