kodiak
kodiak copied to clipboard
chdsbd
chore(bot): change Docker base image to python:3.7-slim
While scanning the Kodiak Docker image with Grype, we noticed a significant amount of vulnerabilities.
This PR upgrade the base image to the latest 3.7 image and use the slim version which come with a smaller size and reduce the attack surface. I also took the opportunity to use a non root user.
- previously: image size 1.31GB, 3694 vulnerabilities
- now: image size 607Mb, 87 vulnerabilities
Deploy request for kodiak-docs pending review.
Visit the deploys page to approve it
| Name | Link |
|---|---|
| Latest commit | de7643dff739daafeb9de61f778f701e9345c8e5 |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy request for kodiak-dashboard-staging pending review.
Visit the deploys page to approve it
| Name | Link |
|---|---|
| Latest commit | de7643dff739daafeb9de61f778f701e9345c8e5 |
@etiennetremel It looks the CI job for building the bot container failed. Should be good to merge once that's fixed
ah, that's interesting.. it worked on my machine 😛 I made a few changes, let's see how that goes
@chdsbd anychance you could run the docker build job with credentials?
Not sure why CI is failing
Error was being triggered during the pip install of poetry, for this use case I reckon we can safely use the flag --root-ignore-action=ignore as we then use kodiak as user to run the app from supervisord.
Oh I think we need to update CI to install git for the script to pass:
https://app.circleci.com/pipelines/github/chdsbd/kodiak/2726/workflows/6fe5f10b-3fc1-4ecd-a1ea-faf4347e28c1/jobs/25425
since the slim version of the image doesn't have it
@etiennetremel @sbdchd any change you could give this another look? it would be really nice to get vulnerabilities resolved
@novascreen it's pretty old but I just rebased the branch. The Docker credentials are missing in CircleCI, I reckon only @sbdchd or @chdsbd would be able to help with it.